Sasser demonstrates the need for speedy patching. PAGE 12 


Scorecard helps Delta Technology weigh IT risks. PA 
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NEWSPAPER 


Hospitals wasted more 
than $11 billion as a result of sup- 
oly chain inefficiencies last year 
We profile two hospitals using 
IT to stop the bleeding. Page 31 
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| prompting some IT man- 
| agers to rein in use of 


Security Threats Raise 
Concerns About Bluetooth 


Some IT managers take steps to limit wireless 
use; vendors claim risks aren’t widespread 





BY BOB BREWIN 
Potential security risks 
posed by the Bluetooth 

wireless technology are 


| are mo- 
bile phones and PCs on 
their networks. 

Bluetooth vendors are 
scheduled to hold a press 
briefing today at which they 


| will discuss the security issues | 
| and provide guidance on how 


users can guard their devices 


| against hackers. But several IT 


managers last week said they 


| now see a need to protect 
their networks from Bluetooth | 


attacks by taking the same 


steps they took to secure their | 


corporate wireless LANs. 


Wall Street 


Pressed on 


Disaster Plans | 


Regulators require 
firms to set strategies 
for systems resiliency 


BY LUCAS MEARIAN 
Brokerages and other financial 


| services firms are facing in- 
| creased pressure from the fed- 


eral government and regula- 
tors within the industry itself 
to clearly define and test their 
IT disaster recovery plans. 
Wall Street firms are also 
being being pushed to consid- 
er moving their backup data 
Wall Street, page 15 


ma 


ary 


For example, Michael Cia- 
| rochi, a network security man- 
| ager at HomeBanc Corp. in At- 
| lanta, said he discovered last 
week that Bluetooth ra- 
dios were included in 
laptop PCs that were be- 
ing configured by an IT 
engineer for delivery to 
the mortgage lender’s 
mobile workers. The 
radios, which operate in the 
same 2.4-GHz band as 802.11b 
| WLANs, were turned on as a 
| factory default setting. 


| 


| Experts, vendors spar 


BY DAN VERTON 

WASHINGTON 
IT security researchers said 
they have uncovered signifi- 
| cant vulnerabilities in the 





Ciarochi said he was con- 
cerned about the possibility of 
opening a wireless back door 
into data stored on the PCs 
and had the Bluetooth radios 
turned off before the systems 
went into use. He added that 
he expects to have to secure 
Bluetooth by “locking it 
down” on devices, the same 
approach he took with Home- 
Banc’s WLANs. 

Emmett Hawkins, chief 
technology officer at Leapfrog 
Services Inc., said he’s so con- 
cerned about Bluetooth secu- 
rity risks that he plans to use a 

Bluetooth, page 45 


50M Electronic Votes Could 
Be Insecure, Say Researchers 


| electronic voting systems that 


| nearly 30% of all registered 


| at commission hearing | 


voters will use in this Novem- 
ber’s presidential election. 

In testimony before the U.S. 
Election Assistance Commis- 


| sion last week, security re- 


searchers said that without 
E-voting, page 45 
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infrastructure using HP 
Integrity servers, they're 
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THE KOEHLER GROUP: 


Moving to an environment 
composed of HP Integrity 
servers, they gained 

a 50% improvement in 
mission-critical performance. 
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NEWS 


3 CA World to Focus on User 
Concerns, Product Integration 


Schmidt Won’t Run 
For Congress Seat 
Howard Schmidt, chief security 
officer at eBay Inc., announced 
Friday that he won’t seek the 8th 
District congressional seat being 
vacated in his home state of 
Washington. The former White 
House cybersecurity adviser and 
onetime chief security officer at 
Microsoft Corp. said he plans to 
work more closely with the U.S. 
Department of Homeland Security | 
instead of running for office. 


AS RNR OL 


Novell Starts Tests - 
Of Its Mono Tools 


Novell Inc. made its Mono open- 
source application development 
software available for beta testing 
and said it expects to ship Version 
1.0 by the end of next month. 
Mono is designed to be an alter- 
native to Microsoft's .Net technol- 
ogy. It includes a runtime envi- 
ronment for .Net applications, an 
integrated development environ- 
ment and a compiler for Micro- 
soft’s C+ language. 
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Intel Plans Shift to 
Dual-Core Chips 


Intel Corp. said that it plans by 
the end of next year to shift all of 
its processor designs to dual-core | 
chips, affecting everything from 
notebook PCs to multiprocessor 
servers. As part of the move to 
put two-processor cores on a sin- | 
gle chip across the board, the 
company has dropped single-core | 
CPUs code-named Tejas and Jay- 
hawk from its product road map. 
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Short Takes 


MICROSOFT promoted Ron 
Markezich, previously general 
manager of finance and adminis- 
tration IT, to ClO. He reports to 
former CIO Rick Devenuti, who 
now is corporate vice president of 
worldwide services. . . . ASCEN- 
TIAL SOFTWARE CORP. in West- 
boro, Mass., this week plans to 
announce a Version 7.5 upgrade 


of its data integration tools, with 





shipments due next month. 


Customers seeking | 


reassurance after 
company shakeup 


BY MATT HAMBLEN 


Ji 
S COMPUTER Associ- | 


ates International 
Inc. heads into its 
annual CA World 


| user conference in two weeks, 


it faces serious user concerns 


| about the soundness of the 
| company and its leadership. 


After witnessing the compa- 
ny’s acknowledgement of ac- 
counting improprieties and 
the ouster of Sanjay Kumar 
from his position as CEO, 
users said CA officials must 
now reassure them that the 
company will be able to main- 
tain its newfound focus on 
customer support. 

“T want to know if CA will 


} continue to have the same 


customer-oriented policy,” 


| said Mike Stevenson, enter- 
| prise administrator for Peel 


Regional Police in Brampton, 


| Ontario. Recent leadership 





changes and financial disclo- 
sures are “more important 


| than any technology CA an- 


nounces, because they mean 
the organization won't be as 
focused [on customers] as 
before.” 

Mark Barrenechea, CA's se- 
nior vice president of product 
development, acknowledged 


| last week that CA World at- 
; tendees will want to be reas- 


sured about the Islandia, N-Y.- 
based company’s financial 
health. “Certainly, I think the 
top issue will be the state of 
the company, [which is] top of 
mind for everyone and a fair 
question,” he said. 


Tough Issues 

Interim CEO Kenneth Cron 
will deliver the opening key- 
note at the conference in place 
of Kumar. Cron “brings a lot 
of maturity ...a lot of stability 
... understands the macro 
aspects of the marketplace 
and is providing fantastic 
interim leadership for us,” 
Barrenechea said. “{He will] 


CA World 2004 


Key themes will include: 


« Reassurances of the sound- 
ness of the company and its 


zontal integration of four 
major product groups. 
= An expanded commitment to 
open-source programs. 
= An on-demand approach and 
Sonar automation technology. 
be speaking very directly about 
the company” at CA World. 
And Cron will have some 
tough issues to speak about. 
CA announced last week that 
it had to delay its financial re- 
port on its just-ended fourth 
quarter and revise its revenue 
calculations for its second and 
third quarters [QuickLink 
46714]. That development fol- 
lowed on the heels of former 
U.S. Secretary of State Mad- 
| eleine Albright’s decision to 





CA’s Barrenechea Explains Offshore Strategy 


Mark Barrenechea, CA's senior 
vice president of product devel- 
opment, spoke with Computer- 
world last week about an off- 
shore strategy that calls 

for spending a growing 
percentage of CA’s de- 
velopment dollars on 
programmers in China 

and India. Barrenechea 
stressed that this is be- 

ing accomplished with- 

out sacrificing U.S. 

developer jobs. Ex- 

cerpts from the inter- 

view follow: 


How much of your develop- 
ment work is done offshore? 
We're going to put our corporate 
doliars in emerging markets. It's a 
natural thing to do. We have a big 
presence in Australia; we have a 
growing presence in Hyderabad, 


India; a growing presence in 
Hong Kong and Beijing; a grow- 
ing presence in Eastern Europe. 


Are those developer po- 
sitions ones that are 
currently in the U.S. that 
are being moved over- 
seas? No. We are expand- 
ing our R&D efforts by sup- 
plementing them with labor 
in markets that are growing 
and emerging for us. We 
have not replaced jobs in 
the U.S. with overseas 
jobs. As we get more efficient in 
what we do, we do free up dol- 
lars that we can reinvest. 


Will developers in India and 
China constitute a growing 
percentage of your software 
development workforce? 
Yes. 


You have a set amount of 
money you can pay for devel- 
opers. Is it accurate to say 
that the percentage of that 
money going to foreign devel- 
opers is rising? Yes. It's the 
same for all software companies. 
It's true for CA, it’s true for the in- 
dustry. 


What does that curve look 
like - that increasing curve of 
money being shifted to over- 
seas developers? The way that 
| think it's most appropriate to 
have the dialogue is to say that 
I'm going to put our investment 
into the markets that are emerg- 
ing. For me, it’s not cost opti- 
mization, although there is a 
benefit to that. It is investing in 
markets that are growing. 


Are there developers at CA 
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cancel her appearance as a 


| guest speaker, for which she 


cited personal reasons [Quick- 
Link 46682]. 

Discussing other plans for 
CA World, Barrenechea said 


| the company will announce an 


initiative to significantly ex- 


| pand the horizontal integra- 
| tion of management functions 


across its four main product 


| lines: eTrust security, Bright- 


Stor storage, Unicenter opera- 
tions management and All- 
Fusion application life-cycle 
management. 

Kenneth McCardle, assis- 
tant vice president of informa- 
tion systems at Farm Bureau 
Casualty Insurance Co. in 
Ridgeland, Miss., said the inte- 
gration work is sorely needed. 
“Sometimes CA products 
don’t integrate well together,” 
including products within the 
Unicenter line, he said. 

Chris Poole, president of the 
Florida CA Users Group and 
a senior analyst at Convergys 
Corp. in Jacksonville, also wel- 
comed the integration initia- 
tive. “I need [management 
software] to look at the appli- 
cation layer and not the hard- 
ware,” he said. 

CA World will be held in Las 
Vegas on May 23-27. @ 46761 


who can legitimately com- 
plain that they're losing their 
jobs to workers in China and 
India? | think most developers | 
talk to welcome the concept. Be- 
cause at the end of the day, they 
want to compete, and they want 
to win, and they want to provide 
value in what they do. And if we 
can give them more skilled pro- 
grammers to get it done, they're 
happy to work in this model. 


But that skirts the question. 
Are there or are there not U.S. 
developers at CA who are los- 
ing their jobs to overseas de- 
velopers? My answer is no. That 
is not the approach we're taking. 
~ Don Tennant 


To read an expanded version of this 

interview, visit our Web site: 

e QuickLink 46693 
www.computerworld.com 
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HP, Sun Launch RFID Test Centers 


Each offers services to help companies 
comply with product tagging mandates 


BY CAROL SLIWA 

The RFID bandwagon contin- 
ues to pick up steam, as Hew- 
lett-Packard Co. and Sun Mi- 
crosystems Inc. launch test 
centers and other offerings to 
assist companies facing man- 
dates from retailers such as 
Wal-Mart Stores Inc. to adopt 
the technology. 

Last week, Sun opened the 
doors to its 17,000-square-foot 
RFID Test Center in Carroll- 
ton, Texas, where companies 
can test and evaluate equip- 
ment in an environment that 
simulates the warehouses 
where they will deploy radio 
frequency identification tags 
and readers. Sun also plans to 
show users at the center how 


to get long-term business ben- | 


efits by integrating RFID data 
with their back-end systems. 

Meanwhile, HP today will 
announce the launch of its 
RFID Center of Excellence in 
Palo Alto, Calif., where cus- 
tomers can learn more about 
the vendor’s RFID vision 
build RFID road maps and 
conduct proofs of concept. 

“It’s a good place to show 
people what’s possible, how 
things are going to look, 
what’s going to pan out,” said 
Salil Pradham, chief technolo- 
gist for HP’s RFID program. 

HP plans to share lessons 
it has learned as a participant 
in the pilot that Wal-Mart 
launched last month with 
eight product manufacturers 
at select stores and one re- 
gional distribution center in 
the Dallas/Fort Worth area, 
according to Pradham. HP is 
affixing RFID tags to pallets, 
cases and boxes of PCs, print- 
ers, scanners, ink-jet car- 
tridges and other products 
it ships to Wal-Mart. 

HP’s services unit also in- 
troduced a trio of new offer- 
ings: an RFID Discovery Ser- 
vice to help companies that 
are developing their own 
RFID strategies; an RFID 
Readiness Assessment that 
calls for a review of business 


processes, applications and in- 
frastructures to produce a de- 
ployment road map; and an 
RFID Adaptive Starter Kit to 
help companies justify their 
investments through proofs 

of concept conducted at their 


own sites or at the HP center. 


Building a Business Case 
But internal experience with 
RFID had little to do with 
Conros Corp.’s selection of HP 
to help with a pilot project to 
ensure that its tags and read- 
ers work accurately, said CEO 
Navin Chandaria. He said he 
wanted to work with a compa- 
ny that cuts through bureau- 
cratic red tape, gets excited 
about taking risks and under- 
stands both technology and 
business. 


North York, Ontario-based 
Conros, a supplier of artificial 
fire logs and other products 
to Wal-Mart, is also working 
with HP on software that wil 
help the company make use of 
the data generated by RFID 
systems, Chandaria added. 

Although many industry an- 
alysts say Wal-Mart’s suppli- 
ers are having a tough time 


building an internal business 
case for RFID, Chandaria said 
he has no doubt that his com 
pany’s investment in RFID 
technology will be worth it 
Victor Garcia, the managing 
principal for HP’s wireless and 
mobility program in Toronto, 
predicted that Conros will see 
a return on its investment 
within a year or two, based on 
increased inventory visibility 
and improved efficiencies. 
Sun and Paris-based Cap- 


~~ 


COMPANIES CAN TEST RFID equipment at Sun’s new test center in Texas. 


Printing Services Getting 
Outsourced to Cut Costs 


Some companies find equipment too 
expensive to own, hard to keep track of 


BY PATRICK THIBODEAU 

Ford Motor Co. estimates that 
its maintenance and support 
costs for office printing are in 
the range of $40 million to $50 
million. But that’s only an esti- 
mate. While Ford knows how 
many PCs it has — 172,000 — 
it can’t say for certain how 
many printers are installed. 

“The reality is, we don’t 
know how many devices we’ve 
got,” said Clive Johnson, Ford’s 
European deskside services 
manager. But based on its 
studies and pilots, the auto- 
maker maintains that under 
its recently signed agreement 
with Hewlett-Packard Co., it 
can reduce printing costs by 
20% to 30%. 

Johnson said he’s become so 
aware of the cost of printing 
that when he sees papers in a 
wastebasket, “I don’t see paper 
in there, I see dollars in there.” 


Ford officials last week 
shared details of a printer out- 
sourcing agreement it signed 
with HP, which follows pilot 
projects at Ford facilities in 
London and Dear- 
born, Mich. Ford 
and HP officials de- 
clined to disclose 
the value of the 
contract, however. 

Ford is one of the 
largest and most 
visible companies 
to outsource its 
printing services. 
But analysts say there’s accel- 
erating interest in improving 
printer management, and in 
many cases, companies may 
choose to outsource. 

“The problem that Ford has 
is very, very common,” said 
Ken Weilerstein, an analyst 
at Gartner Inc. in Stamford, 
Conn. Most companies don’t 


ccm 
: 60:. 


know how much they are 
spending, he said, adding, 
“They don’t really know how 
they are using the equipment, 
and they really can’t pinpoint 
the benefit from what they’ve 
got.” 

Gartner estimates that by 
the end of next year, 60% of 
companies will have undertak- 
en initiatives to cut document 
printing costs. “It is very much 
the topic of interest,” said 
Weilerstein. 

Ford has a prolif- 
eration of printers 
that came into the 
company “one way 
or another,” said 
Johnson. These 
printers aren't 
managed and are 
often ink-jet mod- 
els, which are 
cheap to buy but 
expensive to run, he said. 

The company began looking 
at options several years ago, 
examining multifunction de- 
vices that can scan and fax as 
well as print, but it felt that 
the technology wasn’t mature. 
That opinion has changed. 

HP will install multifunc- 
tion laser printer devices that 
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gemini announced last w 

that they are launching a joint- 
ly developed RFID service and 
product offering that is aimed 
at optimizing the full supply 
chain. 

Juan Carlos Soto, director of 
idvanced development at Su 
said Capgemini brings RFID 
expertise, and his company 
brings the systems to analyze 


manage process the data 


that will 

But Jeff Woods, an a 
it Gartner Inc., 
customers mer 
comply wit! 

* approach 

ships and expensive of 
will fall apart. “You d 
$300-an-hour const 
tell you how to labe 
ucts,” he said 

Woods claimed that 
suppliers facing comp! 
deadlines from Wal-Mart have 
given up on finding an inter- 
nal business case at 
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this point 


can be networked, giving Ford 
the ability to monitor printer 
use through a portal. Ford em- 
ployees will replace paper and 
toner, but HP will manage the 
remaining functions. 

Printer outsourcers are paid 
in a variety of ways, from per 
page to fixed rates. But key to 
any payment method is having 
a view into how printers are 
used, users said. 

lim Armstrong, chief finan- 
cial officer and former CIO at 
Vinson & Elkins LLP, has out- 
sourced printing operations 
for the past three years to Lex- 
mark International Inc. in Lex- 
ington, Ky. Attorneys at the 
Houston law firm print about 
30 million pages annually. 
Printing costs used to account 
for about 5% of its IT spend- 
ing; they’re now about 2.9% to 
3.2%. Armstrong said he be- 
lieves costs will decline fur- 
ther as the firm installs more 


shared printers. @ 46749 
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Multinational firms can receive integrate 
offerings as a result of an 
between HP and BP Group 
QuickLink 46756 
www.computerworld.com 
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SCO Cuts ieee | 
In Bid for Profits 


The SCO Group Inc. said it has laid 
off an unspecified number of 
workers in an effort to make its 
Unix software operations prof- 
itable by the end of its third quar- 
ter in July. A spokesman said the 
cuts affected less than 10% of the 
Lindon, Utah-based vendor’s 275 
employees. But he added that the 
move involved workers in all de- 
partments, including engineering. 


Delta Stays Mum on 
Cause of IT Glitch 


Delta Air Lines Inc. declined to 
comment about the cause of a 
systems glitch that forced it to 
cancel about 40 flights and delay 
an unspecified number of depar- 
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HOT TECHNOLOGY TRENDS, NEW PRODUCT 
NEWS AND INDUSTRY GOSSIP BY MARK HALL 


- Scrapping and Fixing 
Data Can Cost... 


... companies at least 10% of their yearly revenue. 


tures on May 1. The Atlanta-based | 


airline has “resolved the situa- 
tion,” said a spokeswoman. But, 
she added, “as a matter of com- 
pany policy, we will not provide 
additional information on the is- 
sue to ensure the protection of 
our IT systems.” 


Gates Pays Fine 
Over Stock Buy 


The U.S. Department of Justice 
said Bill Gates, Microsoft Corp.’s 
chairman and chief software ar- 
chitect, has agreed to pay an 
$800,000 civil penalty to settle 
charges that he violated stock- 
buying requirements in 2002. The 
case involved a $50 million stock 
purchase that Gates made in ICOS 
Corp., a pharmaceutical maker in 
Bothell, Wash., through his per- 
sonal investment company. 


PRN ETION BOO a ARON I AR WN DED ee 


Short Takes 


The BRITISH BROADCASTING 
CORP. has chosen Accenture Ltd., 
Computer Sciences Corp. and 
Siemens AG as the finalists for an 
IT services deal that will include 
the sale of its BBC Technology 
Holdings Ltd. unit... . SAP AG 
said it plans to increase its head 
count of software developers in 
India to 1,500 by year’s end, up 
from about 1,000 now. 


| 


| 


And if your data quality is bad enough, that figure 
can reach a staggering 25%. That’s the analysis of 
Larry English, president of Information Impact 

International Inc., a data quality consultancy with 


headquarters in Brentwood, 
Tenn. He points out that it’s 
not cheap to hunt down and 
eliminate or fix bogus infor- 
mation. But indirect costs can 
be far greater — you could 
lose customers if you jerk 
them around with bad infor- 
mation, and ambiguous or ab- 
sent data could result in 
missed opportunities. So, 

it’s undoubtedly a Martha- 
Stewart-quality good thing 
that Firstlogic Inc. in La 
Crosse, Wis., this week un- 
veils its beta version of IQ8 
Integration Studio. The new 
product helps you work with 
your line-of-business col- 
leagues to define data quality 
policies that can be applied 
across all applications 
throughout the company. It 
uses standards-based Web 
services to link to other pro- 
grams. It also comes with 
Data Quality Blueprints, tem- 
plates designed for special- 
ized data-quality needs such 
as those of consumer market- 
ing groups. The product can 
be run in batch mode or be 
applied to real-time trans- 





| actions. It works with data on 
| Oracle, SQL Server and 


MySQL databases. DB2 com- 


| patibility is in the works. The | 
| 1Q8 Integration Studio will be 

| generally available June 30, 
| with prices starting at 


$100,000. 


Multifunction network 


| appliance claims. . . 


. . . irk load-balanc- 
ing vendor. Bill 
Kish, CEO and 
CTO of Coyote 
Point Systems 
Inc. wants to re- 
spond to state- 
ments made here 
by Craig Stouffer, 
marketing vice 
president at Red- 
line Networks 
Inc. [QuickLink 
45582]. “You can produce an 
appliance that you claim can 
do everything. But it won’t do 
anything particularly well,” 
Kish fires back. He says he 
has heard such claims from 
other companies, too. But he 
argues the only vendor that 
could conceivably make such 


(... 
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| aclaim is his neighbor 
«| Cisco Systems Inc. 


“And, as far as I know, 


=| they’re not,” he adds. 


Kish suggests that 


| “dedicated solutions” are far 
| better because the engineers 


don’t stray too far from their 


| area of expertise. Still, in the 


coming months San Jose- 


| based Coyote Point Systems 


will add data compression to 


| its line of Equalizer traffic 


management appliances and 
shift from building its hard- 


| ware to getting it directly 


from Dell Inc. and adding the 


| software. Equalizer appli- 
| ances start at $3,995. 


| New network traffic 


management vendor 
elbows... 


| ...its way into crowded market. 

| What with Cisco, Coyote 

| Point Systems, NetScaler Inc., 
| Redline and many others of- 


fering an array of traffic man- 
agement gear, you'd think that 
would be enough. Nope. This 
week comes the announce- 
ment that Crescendo Americ- 
as Inc. in Dublin, Calif., will 
open its doors for business, 
selling the CN 5000-E appli- 


ance running its Maestro net- 


work traffic management 


| software. President Steve Els- 


ton says that with 1 Gigabit 
Ethernet making headway in 
data centers and 10 Gigabit 
‘Just around the corner,” 
Web, application and data- 


| base servers will collapse un- 


der the increased load. The 


| appliance, now in late beta, 


will ship in early June and set 
you back about $19,995. 


Sarbanes-Oxley 
smiles on BPM... . 


. .. vendors that offer compliance 
templates. Suppliers of busi- 


| ness process man- 


agement (BPM — 
not to be confused 
with the other BPM, 
business perfor- 
mance management) 
tools are quickly 
churning out mod- 
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ules with dashboard viewers 
so executives can check at a 
glance whether they are in 
compliance or in danger- 
Will-Robinson territory. The 
willingness of jail-conscious 
CEOs and CFOs to sign hefty 
checks for BPM software 
helped propel 15% growth for 


| the market segment last year, 
| according to Dataquest Inc. 


Sebastian Risse, director of 
product development at 


| CommerceQuest Inc. in Tam- 


pa, Fla., says last year was 
also the first time BPM 
ceased to be “a solution look- 
ing for a problem.” Competi- 
tor Daryn Walters, vice presi- 
dent of worldwide marketing 


| at HandySoft Global Corp. in 
| Vienna, Va., adds that buying 


patterns shifted in 2003 from 
purely an IT sell to one that 
now includes the business 
units, which seem more will- 
ing to invest than IT did. 
Sensing that they have a 
chance to broaden their value 
inside companies, BPM ven- 
dors are dipping their toes 
into new areas. For example, 
an upcoming release of Com- 
merceQuest’s Traxion BPM 
software will be able to inte- 
grate with Microsoft Project 
—- or eliminate it, since Trax- 
ion will have a complete proj- 
ect management engine. And 
HandySoft, which this week 
unveils its BizFlow 9 upgrade, 
includes a new simulation 
tool that lets you run what-if 
scenarios on how changes to 
a business process will affect 
an organization. It will also 
come with a risk mitigation 
feature that warns users 
when a given proc- 
ess’s conditions get 
out of whack. Look 
for BPM to become 
the blazing buzzword 
(or is that buzz- 
acronym?) of 2004. 
@ 46730 
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Cisco Adds Su 


New module will let Catalyst 6500s 





BY BOB BREWIN 
ISCO SYSTEMS INC 
last week announced 


plans to add wireless 


LAN management 
capabilities to its Catalyst 
6500 switch line, a move that 


will give IT managers the abil- | 
| subnetworks, improving Cis- 


ity to control their wired and 
wireless networks from a sin- 
gle device. 

Cisco is aiming the Wire- 
less LAN Services Module 
(WLSM) at large corporate, 


academic and health care net- 
works, said Bill Rossi, vice 
president of its WLAN divi- 
sion. He added that the Cata- 
lyst 6500 add-on supports 50- 
millisecond handoffs between 


| wireless access points when 


end users roam across WLAN 


co’s ability to support applica- 


| tions such as voice over IP. 


Network managers can also 


| use WLSM-equipped switches 


to add firewalls plus intrusion- 


port for 
WLANWNS to Its Switches 


| detection and filtering capa- 
bilities to WLANs, Rossi said. 


| 
| access to data. 


| Health in Sacramento, said 
| he’s testing the WLSM and 


| fornia. He also intends to use 





In addition, they can segment 
groups of mobile users and 
give them different levels of 


John Hummel, CIO at Sutter 


plans to use the device to 
manage Cisco-based WLANs 
in Sutter’s 25 hospitals in Cali- 


the module to manage VoIP 
calls when Sutter starts testing 
hands-free voice devices made 
by Vocera Communications 





Inc. later this year. 


Cisco Rivals Ready WLAN Responses | 


In the wake of Cisco's Wireless 
LAN Services Module announce- 
ment, Airespace and Symbol 
Technologies will both announce 
plans to beef up their WLAN 
product lines at this week's Net- 
world+Interop conference in Las 
Vegas. 

Airespace will introduce its In- 
telligent RF Access Point, which 
uses so-called smart antenna 
technology to improve WLAN 
performance. Four receive and 
four transmit antennas are 


mounted on the access point, al- 
lowing it to select the best radio 
frequency paths to and from mo- 
bile users, said Jeff Aaron, senior 
marketing manager at Airespace. 
The multiple-antenna setup 
also helps reduce interference 
between access points and client 
devices and can help IT man- 
agers Zero in on rogue access 
points installed on a network, 
Aaron added. The new access 
point is due in the third quarter 
and will be priced at an undis- 


Proposed Bill Seeks Stronger 
Privacy Protection Offshore 


Status of data now 
offshore unclear 


BY JAIKUMAR VIJAYAN 
Proposed legislation in Con- 
gress could have some impor- 
tant privacy and security im- 
plications for companies out- 
sourcing work to offshore des- 
tinations. 

The bill ($1232), called the 
Safeguarding Americans From 
Exporting Identification Data 


Act (SAFE-ID), was intro- 


| duced by Sen. Hillary Rodham 


Clinton (D-N.Y.) last month. 
It has been referred to 


| the Senate Committee on 


| 
| 
| 
| 


Commerce, Science and 
Transportation. 

Calls to Sen. Clinton’s office 
seeking comment weren't re- 
turned, so it’s unclear whether 
a hearing on the bill has been 
scheduled or whether a com- 
panion bill has been intro- 
duced in the House. 


alone has more than 





closed premium over Airespace’s 
standard access points, which 
sell for about $400. 

Airespace also plans to intro- 
duce software that can pinpoint 
the locations of mobile devices 
“within a few meters” using radio 
frequency fingerprinting technol- 
ogy developed by the company, 
along with a location appliance 
that can track thousands of wire- 
less clients simultaneously, 
Aaron said. 

Holtsville, N.Y.-based Symbol 


“We don’t know if this thing 


has legs or not yet,” said Peter | 
Adler, a partner at Foley & | 


| Lardner LLP in Washington. 


“But I don’t think that this will 
be the last we are 
hearing of bills such 
as this.” California 


a half-dozen pending 
bills that seek to im- 
pose varied privacy 
safeguards on out- 
sourced personal in- 
formation. 

Driving interest in 
such legislation are 
the growing privacy 
concerns relating to 


ry 
, 


In SEN. CLINTON ‘s 
Meee UL ety 
TS ae el ae 
privacy-related 
conditions to trans- 
mit data abroad. 


Sutter is engaged in a mas- 
sive project to upgrade its hos- 


| pital buildings and the IT net- 


works in them. Many of the 
hospitals are insulated with 
asbestos, and Hummel said in- 


| stalling WLANs is far less ex- 
| pensive than the cost of the 


asbestos mitigation work that 
would be needed to build new 
wired networks. 

The base configuration of 
the WLSM costs $18,000 and 
can manage up to 150 of Cis- 
co’s access points. For another 
$8,000, users can buy a license 
for the company’s Inter- 
networking Operating System 
software that lets them control 
a total of 300 access points. 
Rossi estimated that the total 
cost of adding a WLSM mod- 
ule to a Catalyst 6500 switch 
and installing wireless access 
points would be between $500 


Technologies is will announce its 
Mobility Services Suite, a set of 
applications that IT managers 


> canuse to automatically provi- 

= sion, configure and manage mo- 

- bile devices and WLANs. Lee 

: Williams, general manager of 

: Symbol's mobility division, said 

: the software will be available in 
July or August. 


~ Bob Brewin 


MORE N+I NEWS 


For additional coverage of the 
conference and products being 


* announced there, visit our Web site: 


QuickLink 46738 
www.computerworld.com 


financial and health care in- 
formation being sent offshore 
as part of outsourcing initia- 
tives, including medical tran- 
scription work, he said. 
SAFE-ID proposes 
a set of privacy- 
related conditions 
that need to be met 
by U.S. companies 
transmitting person- 
ally identifiable in- 
formation to a for- 
eign affiliate or sub- 
contractor. Under 
the proposed act, 
companies could 
transmit such infor- 
mation to any coun- 








and $1,000 per access point. 
That would be roughly com- 
parable to what competitors 
like Airespace Inc. and Symbol 
Technologies Inc. charge for 


| switch-based systems that only 


manage WLANs. For example, 
San Jose-based Airespace sells 
its access points for $400 and 
switches for $12,000 to $14,000. 
Jeff Aaron, senior manager of 
marketing at Airespace, said 
that he found “nothing surpris- 
ing” in the WLSM announce- 
ment and claimed that Cisco 
was following his company’s 
technology lead. 

Aaron acknowledged that 
Cisco’s addition of WLAN 
support to its market-leading 
switches could put competi- 
tive pressure on other ven- 
dors, but he said Airespace 
hopes to continue taking ad- 
vantage of its reseller deals 
with Alcatel, NEC Corp. and 
Nortel Networks Ltd. 

“Airespace put the switch 
into wireless, and Cisco put 
wireless into the switch,” said 
Craig Mathias, an analyst at 
Farpoint Group in Ashland, 
Mass. He added that he thinks 
the market for enterprise-class 
WLANs is starting to heat up 
now that many security con- 
cerns have been resolved. 

Cisco has been a proponent 
of decentralized WLANs, but 
Rossi said the addition of the 
WLSM isn’t a wholesale 
change. The company will 
continue to build software 
that manages the airwaves and 
security functions into its ac- 


cess points, he said. @ 46746 


try that is deemed by the Fed- 
eral Trade Commission to 
have a legal system that pro- 
vides for “adequate privacy 
protection.” 

But the law as proposed 
doesn’t address data that has 
already been transmitted to 
and stored in foreign loca- 
tions, said Stephen Wu, CEO 
of Infosec Law Group, a law 
firm in Mountain View, Calif. 
It’s also vague about what 
would happen in situations 
when data might be retrans- 
mitted by subcontractors, said 
Wu. “There’s going to be a lot 
of interpretations if this be- 
comes law,” he said. @ 46751 
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Visual Studio .NET 2003 can cut development time 
by two-thirds, giving you more time to think. 


Got a big idea? Visual Studio® .NET 2003 delivers higher 
productivity, helping you turn that big idea into reality 
faster than you ever thought possible. Want proof? 
Visual Studio .NET enabled Xerox Global Services to 
bring the v2.0 release of its CentreWare Web software 
to market in one-third the time compared to their 
previous development platform. To find out how Visual 
Studio .NET 2003 can help you quickly turn your big 
ideas into reality, visit msdn.microsoft.com/visual/think 
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Sasser Outbreak Demonstrates 
Need for Quick Patch Response 


Vulnerability management is key to 
defenses as attackers improve tactics 


BY JAIKUMAR VIJAYAN 
AST WEEK’S Sasser 
worm outbreak, which 
disrupted operations 
at some businesses 

while leaving most virtually 

untouched, highlighted the 
difference a good vulnerability 
management strategy can 
make to a company’s defenses, 
users and analysts said. 

The W32/Sasser worm start- 
ed spreading on April 30, and 
by the middle of last week, it 
had infected hundreds of thou- 
sands of systems globally. 

The worm took advantage 
of a flaw in a Windows securi- 
ty and authentication compo- 
nent that Microsoft Corp. dis- 
closed on April 13. Microsoft 
released a patch to fix the 
problem on the same day, and 
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SEATTLE 


At its annual Windows Hardware 
Engineering Conference (Win- 
HEC) here last week, Microsoft 
Corp. outlined its latest plans for 
Longhorn and 64-bit Windows, 
as well as a proposal designed 

to help users connect devices via 
Web services. 

Jim Allchin, Microsoft's group 
vice president of platforms, con- 
firmed during a keynote address 
that Microsoft has “tied together” 
development efforts for the client 
and server versions of Longhorn, 
the code name for the next major 
Windows release. Allchin didn't 
clarify whether aligning develop- 
ment of the Longhorn client and 
server also means that they will 
be released simultaneously. 

But in March, Bob Muglia, se- 
nior vice president of Microsoft's 
Windows Server division, told 
Computerworld, “They will al- 





| since then, the company and 
| several security experts have 


been urging users to install the 
update as soon as possible. 
The fact that the worm 


| managed to infiltrate some 
corporate networks despite 

| the warnings shows that there 
| is still progress to be made in 
| promptly responding to such 


vulnerabilities, said Art Man- 
ion, a member of the CERT 
Coordination Center at Carne- 
gie Mellon University. 

“Some organizations have 
streamlined patching and poli- 
cy management to roll out im- 


| portant updates in a matter of 


days,” said Ken Dunham, an 
analyst at Reston, Va.-based 
iDefense Inc. “Others are so 


| careful and test so many fea- 


tures that they end up being 
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Microsoft Outlines Plans for Longhorn, 64- 


most always ship at different 
times in the future. Clients need 
slightly less bake time than 
servers do.” 

A first Longhorn beta is still 
planned for early next year, 
Allchin said. Although Microsoft 
has pointed to 2006 as the inter- 
nal target date for the Longhorn 
client release, Allchin didn’t give 
a target date for the 
client or server ver- 
sions of the software. 
All WinHEC attendees 
received a developer 
preview version of 
Longhorn. 

Also last week, 
Microsoft announced 
that it will deliver ver- 
sions of Windows XP 
and Windows Server 
2003 for 64-Bit Ex- 
tended Systems in the 
fourth quarter. Previ- 
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and server versions 
are being aligned. 


| vulnerable for an 
| extended period 
| of time.” 

A large majority 
of those infected 
last week were be- 
lieved to be home 
users. But several 
large organiza- 
tions were hit as 
well, including 
American Express 
Co. in New York. 
An Amex spokes- 
woman said that 
“some employee desktops” 
were affected by the worm. 
“But we never had any issues 
with our networks or service,” 
she added. 

“This was a big one. But I 
am amazed that it got as far as 
it did,” said Firas Rouf, chief 
operating officer at eEye Digi- 
tal Security, an Aliso Viejo, 
Calif.-based provider of vul- 
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ously, the company had said only 
that it would ship the software in 
the second half of the year. 
Microsoft also plans to release 
versions of Longhorn for Itanium 
and 64-bit extended systems 
as well as a 32-bit edition, ac- 
cording to Greg Sullivan, a lead 
product manager for Windows. 
In a keynote address, Microsoft 
Chairman and Chief 
Software Architect Bill 
Gates said he expects 
that by the end of 
2005, nearly all of the 
processors shipped 
by Advanced Micro 
=e 4 Devices Inc. and the 
% majority of the proces- 
sors Intel Corp. ships 
will support 64-bit 
computing. 
Gates predicted 
that the move from 
32 to 64 bits will be 


The big 
thing was 
the speed with 
which we were 
able to deploy 
patches to our 
desktop. 

BILL BLIX, GLOBAL INFRA 


STRUCTURE VU 
MANAGER, TRW AUTOMOTIVE 


LNERABILITY 





nerability assessment services. 


Several users 
said companies 
would have been 
protected if they 
had followed 
long-recommend- 
ed security mea- 
sures, such as 
knowing where 
vulnerabilities 
exist, prioritizing 
threats and re- 
sponses, apply- 
ing appropriate 
patches, keeping 
antivirus software up to date, 
blocking unused ports and in- 


| stalling firewalls on end-user 


desktops. 

TRW Automotive Holdings 
Corp. in Livonia, Mich., es- 
caped Sasser thanks largely to 
new patch management soft- 
ware that it had just finished 
deploying across 22,500 sys- 
tems globally. The software 
from Emeryville, Calif.-based 


bit Computing 


smoother and faster than previ- 
ous transitions, which he said 
were sometimes “messy.” 

Microsoft executives urged 
hardware makers to build drivers 
for the upcoming 64-bit releases 
of Windows, iest the adoption of 
64-bit computing be held back 
by hardware incompatibilities. 

“The app compatibility is 
good, the OS support is compre- 
hensive. What's the one thing 
we need? Sixty-four-bit drivers,” 
Allchin said. 

Also at WinHEC, Microsoft, 
Intel, Lexmark International Inc. 
and Ricoh Corp. detailed new 
Web services technology that 
is designed to make it easier 
for users to connect devices 
such as printers, digital cameras 
and digital music players over a 
network. 

- Joris Evers, 
IDG News Service 
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BigFix Inc. helped TRW iden- 
tify vulnerable systems and 
deploy patches to them in an 
automated fashion. 

“The big thing was the 
speed with which we were 
able to deploy patches to our 
desktops,” said Bill Blix, 
TRW’s global infrastructure 
vulnerability manager. 


Proactive Approach 
Meanwhile, software- and 
hardware-based firewalls in- 
stalled on every end-user sys- 
tem protected St. Louis-based 
Tripos Inc. against Sasser. 

As soon as the drug re- 
search firm heard of the vul- 
nerability, it changed the set- 
tings on those firewalls to 
proactively block any attacks, 
said Jerry Wintrode, senior 
network architect at Tripos. 

It also changed the settings 
on a policy enforcement serv- 
er at the edge of its networks 
so that it would automatically 
shut out any remote system 
that might have somehow 
been infected, Wintrode said. 
(See “Extended Enforcement,” 
page 21.) 

Attackers are getting quick- 
er and more efficient at taking 
advantage of new flaws. Last 
year’s damaging Blaster worm 
— which Sasser was compared 
to — took about a month to hit 
the Internet after the flaw it 
exploited was first announced. 
In contrast, Sasser took less 
than three weeks. 

Patches and work-arounds 
can be faulty or break existing 
applications and need to be 
carefully tested before they 
are deployed. Companies also 
need to make more of an effort 
to ensure that systems belong- 
ing to mobile and home-based 
users don’t infect otherwise 
clean networks. But a plethora 
of tools are becoming available 
today that are making the task 
more manageable, Rouf said. 

“Tt’s not easy,” he said. “On 
the other hand, it’s not as hard 
as it used to be.” @ 46753 


MORE THIS ISSUE 


Frank Hayes finds a method to worm 
writers’ madness. Page 46 


More Online: Visit our Virus and Worm 
Center for additional information: 


QuickLink a1260 
www.computerworld.com 





SETTING NEW 
NETWORK SECURITY 
PRIVILEGES FOR 860 

USERS? THAT‘LL TAKE 

DAYS...WEEKS... 
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Networks that Know 


See us at NetWorld+Iinterop 2004 
Booth #2029 


These days, no network is free of threats. That’s why you have to assign network security privileges to everyone. 
Employees, customers, and partners. You need to set an acceptable use policy that dictates what each of them can 
and can’t access. Until now, you had to do this manually. 


“ solution with 


Not anymore. Now you can do what Baylor University did. Implement an Enterasys Secure Networks" 
a unique, policy-based system that empowers the network to allocate resources based on specific users and their 
roles. The network “sees” who the user is and assigns privileges accordingly. This improved control also gives you 


more security. 


It’s ali about giving you a smarter way to network with central, intuitive management. Find out more by visiting 
enterasys.com/seconds. Or ask any one of the many enterprise customers we’ve worked with for years. 
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Siebel ‘Taps IBM Sales 


Chief for CEO 


Founder remains 
chairman, gives up 
management role 


BY MARC L. SONGINI 
HOMAS SIEBEL last 
week passed the 
CEO’s mantle at the 
CRM vendor that 

bears his name to veteran IBM 

executive Michael Lawrie — 

a move that comes as Siebel 

Systems Inc. is trying to re- 

bound from two-plus years 

of declining revenue. 

Siebel will remain as chair- 
man and continue to be a full- 


SAP Seeks to Boost 


| time employee of the compa- 

| ny. But he said during a tele- 

| conference that Lawrie, who 

| previously was head of world- 

| wide sales operations at IBM, 
will take over full manage- 
ment responsibility. “Mike 


| runs the company,” Siebel said. 


“The executive team reports 


| to Mike.” 


Tim Arnold, IT manager at 


| Bose Corp., said the manage- 


ment change probably won't 


| have much of a day-to-day 
| impact on the Framingham, 


Mass., maker of audio systems. 
But Lawrie’s addition may help 
dislodge Siebel from its finan- 


Use of Middleware Suite 


BY MARC L. SONGINI 

SAP AG plans to use its Sap- 
phire ’04 conference this week 
to try to sell its ERP installed 
base on the idea of investing 
in newer products, particular- 
ly the company’s NetWeaver 
middleware technology. 

At the conference, which 
starts tomorrow in New Or- 
leans, SAP will unveil new 
bundles of its business appli- 
cations and announce a deal 
with a large maker of con- 
sumer packaged goods to 
jointly develop a CRM offer- 
ing for users in that market, 
said SAP America Inc. spokes- 
man William Wohl. He de- 
clined to disclose 


| ating costs, Wohl said. Net- 


Weaver, which includes an in- 
tegration broker and products 
such as SAP’s data warehous- 
ing and portal software, is de- 
signed to help users seamless- 
ly link SAP’s applications with 
ones from other vendors. 

Lori Schock, global business 


| process manager at silicone 


products maker Dow Corning 
Corp. in Midland, Mich., said 
she plans to attend Sapphire to 
learn more about NetWeaver 


| and mySAP ERP, the latest ver- | 
| sion of SAP’s flagship R/3 soft- 
| ware. The conference “will al- 

| low us to validate our architec- | 
| tural strategic intent,” Schock 


said, noting that 


the identity of the 
consumer goods 
company or pro- 
vide further de- 
tails about the 
agreement. 

But SAP’s main 
goal at Sapphire 
will be to demon- 
strate to users that 
products like Net- 
Weaver can help 
them cut IT oper- 


NEW SOFTWARE 


SAP plans to announce 
these products at Sapphire: 


eas cs 
Eley) ir eae Lee) 
tailored for public- 
sector users 


POSE Big 
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Dow Corning is 
running pieces of 
NetWeaver in pilot 
mode. 

The NetWeaver 
technology could 
make it easier to 
link R/3 to SAP’s 
Business One ap- 
plications for small 
and midsize users 
and to software 
from other ven- 





Post 


cial rut, added Arnold, whose 
company uses the vendor’s 
sales force automation soft- 
ware and other applications. 
“Hopefully, some new blood 
will make a difference,” he 
said. “Sometimes you just 
need a new perspective.” 
However, Lawrie said he 
doesn’t plan to make any “sig- 
nificant changes” to Siebel’s 
management team over the 
next 12 months. The new CEO 
added that he intends to main- 
tain the company’s current 


| strategy as well. 


It’s still unclear what the 
transition’s effect on users will 


dors, Schock said. She added 
that she also wants to investi- 
gate SAP’s radio frequency 
identification technology — 
“fact, fiction and future.” 

In March, SAP said it was 
building support for RFID tags 
into an upgrade of NetWeaver 


| that is more unified than earli- 


er versions were [QuickLink 
45409]. And last month, the 
company announced that 
users will be able to incor- 
porate RFID data into a re- 
lease of its supply chain man- 
agement applications now in 
beta testing. 

Mike Perroni, vice presi- 


| dent of IT at Halliburton Co. 


in Houston, said he has partic- 
ular interest in an employee 
self-service module that will 
be included in the next ver- 
sion of SAP’s Enterprise Por- 
tal software, one of the Net- 
Weaver components. 

Because SAP has put so 


| many components under the 


NetWeaver umbrella, it’s hard 
to judge how widely the mid- 
dleware technology is being 
adopted by users, said John 
Moore, an analyst at ARC Ad- 
visory Group Inc. in Dedham, 
Mass. And it’s an open ques- 
tion whether users will swal- 
low NetWeaver whole or just 
install pieces of the software, 
Moore said. @ 46726 


| be, said Ken Casey, 
vice president of 
| corporate services 
| and operations at 
Alberta Treasury 
| Branches, an Ed- 
monton-based bank 
| that runs Siebel ap- 
plications in its call 
| centers and branch 
| offices. 
Casey said that 
| he respects Lawrie 
and that the bank 
has had a “good re- 
lationship with IBM 
over the years.” As part of the 
| Siebel installation, the bank 
| uses IBM’s mainframe and 
Unix systems and Windows- 
based Netfinity servers, plus 
its MQSeries messaging soft- 
ware and DB2 database. 
Lawrie has a lot of work to 
| do to restore Siebel’s reputa- 
tion for developing products 
that give users “great value and 
great satisfaction,” said Rebec- 
ca Wettemann, an analyst at 
Nucleus Research Inc. in 
| Wellesley, Mass. “There are 
Siebel licenses [at customer 
sites] that are not being used. 
They must identify those folks 
and take a harder look at cus- 
tomer satisfaction.” 
Siebel’s annual revenue has 
fallen from $2.04 billion in 
| 2001 to $1.35 billion last year. 
The company last month re- 
ported first-quarter revenue of 
$329.3 million, down slightly 
from the year-earlier level — 


IBM last week reshuffled several 
of its top executives in connec- 
tion with Michael Lawrie’s deci- 
sion to leave his sales job there 
and take over the CEO position 
at Siebel. 

Doug Elix, who had been run- 
ning the company's IT services 
and outsourcing unit since Octo- 
ber 1999, was named to replace 
Lawrie as head of sales and dis- 
tribution operations. Taking over 
for Elix at IBM Global Services is 
John Joyce, the company's chief 
financial officer for the past five 
years. Mark Loughridge, who had 
been general manager of global 
financing, was tapped to be CFO. 
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but it said software 
license sales rose 
13% year over year. 
Tom Siebel, 5}, 
last week said he 
decided a year ago 
to split the roles of 
CEO and chairman. 
Siebel added that 
as chairman, he 
will “assist in any 
way I can,” with his 
duties to include 
providing input on 
corporate strate- 
gies and working to 


| foster relationships with users 


and business partners. 

Lawrie, 50, had worked at 
IBM for the past 26 years and 
was a senior vice president 
there. IBM and Siebel did 
about $1 billion worth of joint 
business last year, according 
to Tom Siebel. In addition, 
IBM has an internal installa- 
tion of about 60,000 Siebel 
end-user licenses, making it 
one of the CRM vendor’s 
largest users. 

Joshua Greenbaum, an ana- 
lyst at Enterprise Applications 
Consulting in Berkeley, Calif., 
said adding Lawrie may not 
give Siebel a long-term boost. 
“Lawrie says he’s playing the 
same game with the same set 
of cards,” Greenbaum said. 
“And with Tom watching over 
his shoulder, I doubt we’ll see 
that new, dramatic shift that 
Siebel needs to recapture its 
former glory.” @ 46697 


With Lawrie Leaving, IBM Shifts Execs 


All three executives are senior 
vice presidents and report to 
Sam Palmisano, IBM's chairman 
and CEO. 

In an internal memo outlining 
the changes to IBM employees, 
Palmisano noted Lawrie’s depar- 
ture but described the series of 
management changes as busi- 
ness as usual for IBM. 

“The intent of these leadership 
changes is straightforward - to 
step up the pace of our market- 
place execution and accelerate 
our strategic growth plans,” 
Palmisano wrote. 

~ Stacy Cowley, 
IDG News Service 
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Red Hat Offers 
Desktop Linux for 
Corporate Users 


BY ROBERT McMILLAN 

AND TODD R. WEISS 

Red Hat Inc. last week an- 
nounced a desktop version 

of Linux that is designed for 
mainstream corporate users 
and includes open-source doc- 


and messaging software. 

The new release, called Red 
Hat Desktop, is a companion 
product to the vendor’s cur- 
rent client-level offering. But 
the existing product, Red Hat 
Enterprise Linux WS, is aimed 
at technical users such as soft- 
ware developers and comput- 
er-aided design engineers, not 
office workers. 

And unlike the technical re- 
lease, which is sold on a per- 
system basis, Red Hat Desktop 
will be available in packages of 
10 or 50 units when it begins 
shipping this month, said Mike 
Ferris, Red Hat’s product mar- 
keting manager for Enterprise 
Linux. 

Lt. Fred Wissing, applica- 
tion development services su- 
pervisor for the New Jersey 
State Police in West Trenton, 
plans to take a close look at 
Red Hat Desktop for possible 
use by the department’s 4,000 
end users. “We're going to 
snarf up a copy and install it 
and see what it can do,” he 
said, adding that the evalua- 
tion process will include an 
examination of the existing 
end-user applications to see 
how many of them would have 
to be modified to use Linux. 

Wissing said the depart- 
ment already uses Linux for a 
variety of back-office server 
functions, but only one power 
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Correction 

IN LAST WEEK’S On the Mark 
column, pricing for the NetScaler 
9000 from NetScaler Inc. was 
incomplete. The $115,000 price 
is for a 5,000-user license. 





| user is currently running 

| desktop Linux as part of a tri- 
| al. Several IT staffers have 

| also installed Linux on their 

| desktops, he said. 


Red Hat Desktop will in- 


| clude open-source applications 
ument-processing applications | 


such as OpenOffice 1.1, the 
Evolution e-mail client and the 
Mozilla Web browser, Raleigh, 
N.C.-based Red Hat said. 

Dan Kusnetzky, an analyst at 


| Continued from page 1 


| Wall Street 


centers farther away from 


| their primary computing facili- 
| . : + 
ties, according to IT managers. 


Steve Randich, C1O at Nas- 
daq Stock Market Inc. in New 
York, last week said that a 
combination of “peer pressure 


| and regulatory pressure” is 


prodding companies to ensure 
that their systems will keep 
running if a disaster occurs. 


market research company 
IDC, said the fact that Red Hat 
is already known in the corpo- 
rate server market should help 
the desktop software gain ac- 
ceptance from users. But Red 
Hat will need more than that 
to succeed with the product, 
he added. 

“They’re going to need part- 
nerships with every single one 
of the desktop hardware sup- 
pliers,” Kusnetzky said. “If 
there isn’t a strong story about 


| how Linux comes preinstalled 


on the desktop hardware of 
your choice, then it will not be 
as broadly interesting.” 

Ferris said Red Hat execu- 


| tives are working with systems 


vendors to develop plans for 
marketing the software, but he 


gency and coordinate their 

disaster recovery plans. 
Nasdaq announced two 

weeks ago that it had run tests 


| at its two data centers to 


check the disaster recovery 


capabilities of member com- 


panies. The tests involved 
more than 50 brokerages and 
were conducted at the ex- 


| change’s primary data center 
| in Connecticut in February 


For example, the U.S. Securi- | 


ties and Exchange Commis- 
sion last month approved rules 
proposed by the National As- 


| sociation of Securities Dealers 


Inc. and New York Stock Ex- 


| change Inc. that require firms 


to submit business continuity 
plans detailing how they will 
provide ongoing access to sys- 
tems during an emergency. 


and at its backup facility in 
Maryland last month. 

“It’s not that the regulators 
are mandating to see test re- 
sults, although internal and 


| external auditors and the SEC 

| have collected records on the 

| outcome of our tests,” Randich 
| said. “It’s just short of a man- 


The plans are due by Aug. 5 for 


| NYSE members. The NASD 


set deadlines of Aug. ll for 
firms that clear stock trades 
and Sept. 10 for brokerages 
that initiate transactions. 

In addition, the Securities 
Industry Association next 
week plans to conduct a busi- 
ness continuity tabletop exer- 
cise in conjunction with the 
Bond Market Association. The 
SIA said government regula- 
tors will be present at the 
event, in which participants 
will walk through the process 
of responding to an emer- 


Nasdag Is Ready 
For Disaster 


= The stock exchange’s two data 
centers are located 300 miles 
apart - one in Connecticut, the 
other in Maryland. 


= The systems and IT infrastruc- 
ture at the backup facility are 
equal to or at near parity with 
the ones at the main data center. 


= Dual utility power feeds are 
provided to both data centers 
to protect against outages. 


= Both facilities are in rural 
office parks, so Nasdaq can 
maintain a combined total of 
85,000 gallons of diesel fuel 
on-site - enough to run genera- 
tors for more than a week. 
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Red Hat Desktop 
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added that no hardware mak- 
ers are ready to announce sup- 
port for Red Hat Desktop. 


| date, but that’s enough to en- 
| courage people to ensure this 
| all works seamlessly.” 
| Randich said there was no 
system downtime at Nasdaq 
or the participating firms dur- 
ing the tests. “What we didn’t 
| know for certain was our mar- 
| ket participants’ ability to run 
| [transactions] out of their 
| backup sites,” he said. “This 
| was the first time outside of a 
| disaster scenario where we 
were able to validate that their 
| Operations were good.” 
| Peter Poulos, director and 
| head of the business continu- 
| ity group for the Americas at 
| Credit Suisse First Boston LLC 
| in New York, said he thinks 
“every major securities firm 
| on the Street” is facing the 
| challenge of showing that its 
| disaster recovery strategies 
| are in order. 
| Poulos, who is also chair- 
; man of the SIA’s Business 
| Continuity Planning Commit- 
| tee, said Credit Suisse’s sys- 
tems worked smoothly during 
Nasdaq’s tests. But its disaster 
recovery plan still has some 
| kinks that need to be worked 
| out, he added. Poulos wouldn’t 
disclose further details but 
noted that more pressure is 
being put on firms to increase 
| the resiliency of their systems 
beyond the capabilities they 
have already built. 
Large financial services 
firms also face an April 2006 
deadline for meeting new fed- 





| PASSING THE TEST 
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In March, Hewlett-Packard 
Co. said it would make Novell 
Inc.’s SUSE Linux software its 
standard desktop distribution 
of the operating system. HP 
supports Red Hat Linux on 
some of its notebook PCs and 
plans to do so on its desktop 


| systems, an HP spokeswoman 


said. But she declined to com- 
ment on whether HP specifi- 
cally plans to support Red Hat 


Desktop. @ 46758 


McMillan is a reporter for the 
IDG News Service. 


READ MORE ONLINE 
& A: Red Hat CEO Matthew Szulik on the 
market for des! 


top Linux 


QuickLink 46679 
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eral guidelines on increased 
resiliency for trade clearance 
and settlement activities. The 
SEC, the Federal Reserve 
Board and the U.S. Treasury 
Department’s Office of the 
Comptroller of the Currency 
set the guidelines in a white 
paper last spring. 

Complying with the guide- 
lines “means having people 
in place at another location 
that’s not in a commutable dis- 
tance to the primary site,” Pou- 
los said. Many firms may move 
their backup data centers to 
other parts of the New York 
metropolitan area or to more 
remote locations, he added. 

Howard Sprow, director of 
business continuity planning 
at the SIA, said the new rules 
shouldn’t have a big impact on 
large firms that have been im- 
proving their disaster recov- 
ery architectures since the 
Sept. ll, 2001, terrorist attacks. 
The NASD and NYSE are sim- 
ply looking to “formalize the 
process,” he said. 

“All the firms have robust 
backup sites that are some 


| distance from their primary 


sites,” Sprow noted. “But they 
are looking at ways to add ad- 
ditional sites or to increase the 


separation.” @ 46725 


J&A: ClO Steve Randich discusses 


| Nasdaq's disaster recovery tests: 
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MARYFRAN JOHNSON 


Compliance Bonanzas 


HEN WAS THE last time you read 

about a $40,000 retention bonus 

for someone with a hot skill in IT? 

I'll bet it was sometime around 

the turn of the century, when Y2k 
fears had CEOs wringing their hands and CFOs sign- 
ing checks for whatever IT asked for. 


Today, it’s a different 
story with some eerie 
echoes. The latest salary 
bonanzas aren’t tied to 
arcane skills in Cobol 
programming but to IT 
auditing experience ap- 
plicable to the slew of 
regulatory compliance 
issues companies are 
facing. In our front-page 
story last week (“IT Au- 
ditors Coveted, Hard to 
Find,” QuickLink 46577), 
we wrote about one enterprise risk 
manager being courted with gener- 
ous raises, bonuses and stock op- 
tions from a pair of Fortune 250 
companies anxious to get him on 
staff as the year-end Sarbanes-Oxley 
compliance deadline looms. 

The big accounting firms are also 
hiring briskly to beef up their in- 
house expertise in everything from 
Sarbanes-Oxley and HIPAA to the 
Patriot Act, the Gramm-Leach-Bliley 
Act and the European Union’s direc- 
tive on privacy protection. Ernst & 
Young, for example, has expanded its 


and privacy protections to 
new heights of corporate 
support. 

Those are very seduc- 
tive notions, and I’d love 
to believe them. But I also 
hear the distant ring of 
the déja vu bell. An awful 
lot of ill-conceived ERP 
projects were launched 
under the banner of Y2k 
rescues, and those later 
came back to bite IT with 
outrageous cost overruns, 

disappointing results and a wider- 
than-ever credibility gap with senior 
management. The risk of repeating 


| history is a significant one, and 
| there’s a lot more at stake than the 


reputation of the IT organization. 
Last week, I moderated a panel 


| discussion at UCLA on regulatory 
| compliance and corporate security, 
| with a speaker lineup that included 
| chief security officers and privacy 


IT risk practice by 30% in the past 10 | 


months and has 200 openings to fill 
by the end of next month. 

A lot of people I’ve talked with 
lately believe — or maybe hope — 
that all these regulatory mandates 
will turn out to be another kind of 
bonanza for IT. That they'll force 
companies to clean out their data 
closets and reorganize business 
processes. That they’ll usher in new 
project disciplines, forge stronger IT- 
business partnerships and strengthen 
relationships with customers by bet- 
ter protecting their privacy. And, of 
course, that they’ll elevate security 


| 





and legal experts. Attorney Peter 
Adler, a partner at Washington- 
based Foley & Lardner, cautioned 
the audience about creating silos of 
regulatory compliance expertise — 
for example, having a set of HIPAA 
experts in HR and a set of Sarbanes- 
Oxley specialists in the finance de- 
partment. He advocated a unified ap- 
proach to dealing with privacy laws 
and financial disclosure mandates, 
many of which have common ele- 
ments and similar requirements. 

At the end of our discussion, I 
asked the assembled experts for their 
single best piece of advice for IT 
managers dealing with the regulato- 
ry storm. “Think long and hard about 
who gets access to your data,” one 
advised. “Get serious about federated 
identity management systems,” said 
another. “You can never do enough 
employee training,” one stressed. 

All agreed that regulatory man- 
dates are driving renewed urgency 
into IT security practices and raising 
awareness of privacy protection 
obligations for both the public and 
private sectors. Security risks will 
keep growing, new laws will keep 
piling responsibilities on IT, and the 
audit cycles will keep on coming. 

If there are indeed salary bonanzas 
coming with all this, IT will earn 


| each and every one of them. @ 46713 
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Pushing IT 
With the 
Governator 


HAT HAS YOUR 
governor done for 
you lately? 

I’m talking about tax cred- 


its, grant money, streamlined 
bureaucracy, maybe some personal 
attention. 

If your state and local politicians 
aren’t trying to help your IT business, 
they need to take some lessons from 
the Governator. California Gov. Arnoid 
Schwarzenegger has been pressing the 
flesh thousands of miles from home as 
part of his effort to lure IT business to 
the Golden State. 

In Schwarzenegger’s first official trip 
overseas, he flew to Israel for 24 hours 
and bagged almost 1,000 new tech jobs 
for the state, while 
making headlines as 
someone who will do 
what it takes to en- 
courage IT firms 
to relocate business 
to the shores of the 
Pacific. 

At the top of 
Schwarzenegger’s 
tally for his day trip 
to Israel was Sanrad 
Inc., a Tel Aviv-based 
IP storage network- 
ing firm, which plans to put its world- 
wide headquarters in Alameda, Calif., 
bringing 300 jobs to the new facility. 

Other deals announced by Schwarz- 
enegger include an expansion of a joint 
venture between Yokneam, Israel- 
based Arad Technologies and Sacra- 
mento-based USCL Corp. to build in- 
telligent utility meters. Yahud, Israel- 
based Magal Security Systems will in- 
crease production of monitors de- 
signed to protect buildings, airports 
and transport facilities at its Fremont, 
Calif., location. Netline Communica- 
tions Technologies in Tel Aviv will de- 
sign and build devices to jam remote 
activation of bombs as part of a joint 
venture with Santa Cruz, Calif.-based 
Life Safety Systems. And ForeScout 
Technologies will add to its operations 
in San Mateo, Calif., where it is work- 
ing on preventing Internet hacking. 

Not bad for 24 hours’ work. 


Piww Fox is a London- 
based journalist. 
Contact him at 











The success of Check Point Software 
Technologies Ltd., the world’s leading developer 
of firewall software, was founded on innovative 
Web service applications, which it used to sup 


port a global, third-party channel that delivered 


one hundred percent of the company’s sales. 


But success had a price: its central IT 
department was spending too much time main 
taining the large number of applications. What's 
more, their IT infrastructure was a dizzying mix 
of different application servers, development 
tools, and open source components. 

Using SAP NetWeaver — and, more 
specifically, SAP Enterprise Portal and SAP 
Web Application Server — Check Point was able 
to immediately consolidate its Web services 
infrastructure, doubling central IT’s applica 
tion development productivity. Within a year 
and a half, Check Point saw an ROI of 586% 
based on IT productivity increases and swifter 
rollouts. The consolidation also allowed Check 
Point to reduce the number of servers running 
their Web service applications from 11 to 3. 
Over five years, Check Point expects a 23% 


reduction in TCO. 


Carl Zeiss, a leading optical component 
manufacturer with 14,000 employees, needed to 
find a way to evolve more quickly. ¢ ‘onsolidation 
among optical chains was creating new, ever 


larger customers, resulting in management 


scenarios of greater complexity and delays in 
order processing 

Using SAP NetWeaver, Carl Zeiss was 
able to integrate multiple systems around the 
needs of their customers, developing individual 
logistics strategies for each chain. As a result, 
custom orders and changes are now accommo- 
dated more easily. And the time it takes to 
integrate a new customer tnto the system h 1S 
dramatically decreased. 

Besides gaining more-satished cus 
tomers, Carl Zeiss reduced the av erage cost 


per integration interface by 50 


Sasol, a holding company for nearly 
fifty separate chemical and fuel businesses 
around the world, had consolidated all of 
its core operational software around SAP. 
However, it still faced the challenge of properly 
managing a widely dispersed, and culturally 
diverse, workforce 

Using SAP NetWeaver, Sasol was able 
to create an enterprise-wide information 
portal for collaboration and communications 
between employees of different divisions, 
greatly increasing the company’s ability to 
meet strategic corporate goals. The portal also 
served to coordinate business processes for HR, 
production planning, and production work 
flow across Sasol’s various business units 

[he financial results were impressive, 
with an ROI over five years, after tax, of 453% 
But even more importantly, thanks to SAP 
NetWeaver, Sasol was able to become a truly 


global player. 








Feeling a bit skeptical these days? It’s perfectly understandable. 


\fter all, integrating those “best of breed” applications into your IT infrastructure 





turned out to be not nearly as fast or foolproof as advertised. And capturing thei 
full value, as well as the full value of your entire infrastructure 
probably still seems like a distant goal 
Given the circumstances, you did everything 
you could. After all, you were handed the technological 
equivalent of a drawerful of mismatched socks 
\ very expensive socks 


‘ 
i But now you can do more — actually 
~ 





quite a lot more. Read on and find out how. 


Remember when it was okay for businesses 


yf to evolve slowly 


Y Of course you don’t. Success has always 


/ been about speed: the speed of innovation, the 
speed of implementation. And it all just keeps 


getting faster 


=, 


Today, markets, customers and competi 
a tors change seemingly overnight. And so must 
your business processes and strategies 
Unfortunately, this rapid pace of change 
has exposed a fundamental weakness at many 
businesses: an IT infrastructure that can’t evolve 
a quickly enough to take advantage of opportunities 
or respond to challenges. 


Phere are two reasons tor the bottleneck 


—— 


The first is complexity. By the time a new 


business process or strategy can be designed 


built, implemented and executed technologically 
the window of opportunity has usually closed 

The second ts monetary. Currently, 80 
of the average IT budget ts earmarked for operation 
and consolidation. Very little is left for innovation 

Source: SoundView Technology Group, 2003 

Can your business afford to concede opportu 
nities tO More agile competitors: Of course not 

Your task is clear: to enable your company to 
compete and win, you have to reduce the complexity 
and cost of your IT infrastructure, and reallocate 
more of your resources toward Innovation 

Fortunately, there’s a technology plattorm 
that will enable you to fulfill that task. It’s called 
SAP NetWeaver 

But before we take a closer look at what 
makes SAP NetWeaver so useful, let’s explore what 


contributes to a high, and skewed, overall TCO. 


lhe typical IT infrastructure is a jumble of 
disparate technologies (including portals, business 
intelligence, Knowledge management, etc.) and 


applications ( both legacy and best of breed). 


Whether you're integrating your applications 
into a portal or a business intelligence solution 
or connecting your apps with the integration 
broker, it’s costing you time, money, and un 


necessary aggrar auion 








lo help illustrate just how much money 
we're introducing a new, more complete way 


j 


of identifying costs. It’s called The Complete 


PCO Equation 


COMPLETE TCO = 





the cost of all your technologies, including their integration into a single platform 


+ the cost of all your applications, including their integration into an end-to-end process 


+ the cost of integrating all your technologies with all your applications 


From this point of view, it’s no surpris 
| 1 1 1 1 
that integration has been likened to a sinkhole, 
draining money from innovation and preve nting 
your business processes and strategies from ¢ volving 
| } 
as quickly as they need to. 
But what if you could transform integration 
into a far simpler, less expensive, less painful process 


no matter whose technology or applications you're 


integrating? Now you can — with SAP NetWeaver 


Imagine being able to quickly and efficiently 
align I] with your business’s needs, to drive new 
strategies for growth while minimizing risk and 


cost, to COMPOse new busine SS proc esses on top 


of existing systems 


It’s all possible with SAP NetWeaver 


SAP NetWeaver is an open, standards 





based integration and application plattorm t 
greatly reduces the complexities of integration 
Its components include a portal, an application 
server, business intelligence, and integration 


and data consolidation technologies 


With SAP Net 





eaver, you capture the 
full value of the technology you already have in 
place, and pave the way for future technology 
SAP or non-SAP. 

Phe result: an opportunity to achieve 
significantly greater flexibility at a far lower 
sustainable TCO 

Bottlenecks disappear. Timetables are 


met. Business goals are achieved. Your entire 


IT architecture ts elevated from an enable 
ot work into an enabler of change 
For current SAP customers, there 
even more of an ad\ 
comes pre-integrated for SAP’ solutions 
which greatly reduces the costs associate 
with systems integration 

But SAP customer or not, there’s one 
thing that should be clear: of all the software 
providers in business today, SAP is unique 


j j j l 8 
positioned to deliver integrated technologies 


and technologies integrated with 





It that concept piques your interest, 


uggest you visit sap.com/netweaver wher 


we hope, your curiosity will be integrated 


with our solutions 
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Sure, not all governors have the star 
power or the love of IT that Schwarz- 
enegger has. (In The Terminator, the 
computer code audiences see through 
Schwarzenegger’s eyes is a mixture of 


II computer.) And maybe you're not 
into the political scene. But you’ve got 
to push pols to work for you. 

If you’re not hobnobbing with elect- 
ed officials who can blast through red 
tape to help you increase productivity, 
you're missing out. If you’re ignoring 
the meet-and-greet sessions with local 
party hacks who can insert favorable 
rules into state legislation, then you’re 
not firing on all cylinders. 

Does this sound cynical and manip- 
ulative? It isn’t. 

Running an IT business is no easy 
task. Competitors are trying to beat 
you on price, customers demand ever- 
higher-quality service at lower costs, 
and attracting talented and loyal work- 
ers is time-consuming and expensive. 

Big corporations use the tax code to 
their advantage and aren’t shy about 
asking for government handouts to 
keep business humming. 

Think of all the things government 
~yuld do to help IT at the operational 
level, from hiring to research grants. 

And who knows — maybe you could 
get some free acting lessons. @ 46652 


DAN GILLMOR 


A Road 
Warrior's 
Inventory 


VE BEEN a fairly hard- 

core road warrior for the 

past few years. Users like 
me are a challenge for IT de- 


partments, because we’re try- 
ing to replicate the best parts of our 
offices in one carry-on bag. 

My own gadget bag is a continually 
evolving set of tools, the kind that 
make it possible to be connected and 
up to speed pretty much anywhere I 
happen to be. Your mileage may vary, 
but these tools work for me. 

I start with an aluminum Macintosh 
G4 PowerBook with a DC charger that 
works in the car and on airplanes, in 
addition to the regular wall charger. 

It worries me how much of my pro- 
fessional existence is in this thing. 
That’s why I also carry an 80GB Fire- 


| pen again. I keep the disk 
| drive in a separate place in 


Lite device from SmartDisk 
for routine backups, includ- 
ing a daily backup of essen- 
tial files such as chapter 


| drafts of a book I’m nearly 
Cobol and assembly code for the Apple | 


finished writing. I lost a 
bunch of important e-mails 
in the middle of 2003 and 
decided that it wouldn’t hap- 


my hotel room. 

Laptops are hardier than 
ever, but they’re not inde- 
structible. On planes, I carry 
my Mac “double-wrapped.” I put the 


| computer in a padded, ballistic-nylon 


“sleevecase” from WaterField Designs. 
The sleevecase then goes into a carry- 
on bag that adds further protection. 
Once I get to my hotel room, I pull 

out the sleevecase and attach a padded 
shoulder strap and piggyback bag that 
holds my power supply as well as a 
notebook (analog), a digital camera, a 


couple of cables and other small items. 


That way I can leave the big bag in the 


DAN GILLMOR is 
technology columnist at 
the San Jose Mercury 
News. Contact him at 
dgilimor@sjmercury.com. 


hotel instead of schiepping 
it around. 

I’m a convert to the 
phone/PDA routine. My 
PalmOne Treo 600 is the 
best combo device I’ve 
seen so far. I’ve been load- 
ing a bunch of third-party 
software onto it, including 
a Freecell game for emer- 
gency boredom cures. 

To carry the Treo, I use a 
padded camera pouch that 
attaches to my belt. I also 
have a retractable sync and 


| cable/charger thingy, which saves lots 


| of room and is vastly more convenient. 


I put a SI12MB memory card into the 
Treo, found a third-party MP3 player 


| and now listen to music on the Treo. 
| It’s not as nice as Apple’s iPod, but it’s 
| one less thing to carry. 


One vital road-warrior tool is a pair 


| of noise-canceling headphones, which 
| make a huge difference in reducing 

| fatigue from long plane rides. At the 

| moment, I’m using the Sennheiser 


PXC250 model. I’m eyeing the new 
Bose set, but it’s twice as expensive. 

Then there’s an assortment of other 
cables, including a retractable phone, 
Ethernet and FireWire line. I love the 
convenience of the ones that wind up 
inside a spindle, helping me avoid cord 
spaghetti. And, of course, I have extra 
batteries, a USB adapter for various 
device memory cards to download pic- 
tures and transfer files, and several 
notebooks, pens, tissues, antibacterial 
hand wipes, decongestant nose spray 
(essential if you fly with a cold) and 
other basic remedies and vitamins. 

One crucial addition: a paperback 
book. I never know when I might be 
waiting in line (the immigration line 
at Tokyo Narita took an hour last 
month), and it’s always nice to have 
something to read. Not all of life is 
digital. @ 46598 
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HP Betrays Users 


HE MPEix operating system is 
one of the best ever written 

[“HP Responds to Pressure From 
e3000 Users,” QuickLink 46280}. 
Although it isn't an open platform, 
most businesses don’t want their 
primary systems to be that open. We 
want it to be secure and to do the 
core business without interruptions 

I've been an HP e3000 user, pro- 
grammer and manager for 20-plus 
years. | saw the mistakes made by 
Hewlett-Packard during late 1980s 
with the HP 3000. Now third-party 
vendors are price-gouging e3000 
customers, and HP is turning its 
back on loyal customers. The grief, 
problems and expense I've experi- 
enced during this dumping of the 
HP e3000 have left a bad taste in 
my mouth. I'm recommending that 
the company | work for not pur- 
chase any HP equipment in the fu- | 
ture. The “HP Way” has gone astray! | 
Bryan Goodwin 
Senior software engineer, 
Springfield, Ore. 


QuickLink 46119], as Marc Veen, 


| operations support at Alticor Inc., 


put it. It's too bad Alticor chose to 
discard the very system that could 


| enable its move to open systems. 


Over the last several years, IBM has 


| made tremendous progress in 


adding open-systems technology to 
its mainframe product line. Whether 
by accident or intent, IBM has con- 


| ments. Many systems need immedi- 


ate updating if they are to deliver the 


| value everyone desires from them. | 


suspect that historically, govern- 
ment IT systems have been as inter- 
ested in real-time systems as com- 
mercial enterprises, and perhaps 


| even more interested in them 
| Gene Lauver 


tinued the root definition of the orig- | 


inal 360 philosophy of using one 


| system for all needs, by including 
| support for Linux and Java. 


Bruce A. McKnight 

zGroup principal, Boundless 
Flight Inc., Cleveland, 
Bruce@BoundlessFlight.com 


' Many Tools Need 
Real-Time Abilities 


HILE reservations systems 

can benefit from being real 
time, there are other systems that 
have always needed that capability 


| and tried to provide it [“Almost Real 
| Time,” QuickLink 46191]. The air 
| traffic control systems are one type. 


| State and local police departments’ 


Open-Source Keeps 
Mainframes Alive 


AINFRAMES are far from “go- 
ing away” [IT Vets Reminisce 
on IBM 360’s 40th Anniversary,” 


warrant and “wanted” systems are 
another. No one wants to pay a fine 
or clear his case only to be arrested 
two minutes later on the same war- 
rant. Our military systems and 
NASA have had similar require- 


Senior programmer, St. Louis 
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_ Calculating Risk 
EGARDING the article “Big Four | 
Accounting Firms Join in Cyber- | 
| Risk Effort” [QuickLink 45597], | 

| have to say that something similar 

| was done already in the Open 

| Source Security Testing Methodolo- 
gy Manual (www.osstmm.org). This | 
| methodology is a true open-source 


initiative that has over 1,000 volun- 


| teers worldwide, including mem- 


bers of the Big Four. Last month, 
we released the Risk Assessment 


| Values at the ISESTORM event in 
| Barcelona and again at sympo- 


| 
| 
| 
| 


siums in France, Spain and Italy. 
The RAVs provide quantitative risk 
assessment based on security tests 
and quantify risk in two parts: justi- 
fied risk, which is inherent risk in 
doing business, and actual risk, 
which is the current state of the net- 


| work regarding vulnerabilities. 
Together with results from best- 


effort practices like ISO 17799, BS 
7799, OCTAVE and other risk as- 
sessment methodologies, the secu- 
rity management and operations 
approach can be combined with the 
OSSTMM for very accurate risk as 
sessment calculations. Additionally, 
the results can best be analyzed by 


| a professional security analyst who 


may make manual verifications prior 


| to processing and quantifying the 
| risks. This prevents the problem of 


“trusting the tools,” which has led to 
many false security assumptions 
and poor risk analysis 

Pete Herzog 

Managing director, 

Institute for Security 

and Open Methodologies, 
Barcelona, Spain, 
pete.herzog@isecom.org 
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BLINK OF AN EYE 


For your next generation of applications, move 
to the next generation of database technology. 

Caché is the post-relational database that com- 
bines high-performance SQL for faster queries and 
an advanced object database for rapidly storing 
and accessing objects. With Caché, no mapping 
is required between object and relational views of 
data. That means huge savings in both development 
and processing time. 

Applications built on Caché are massively scala- 
ble and lightning-fast. Plus, they require minimal 
or no database administration. 

More than just a database system, Caché incor- 
porates a powerful Web application development 


environment that dramatically reduces the time to 
build and modify applications. 

The reliability of Caché is proven every day in 
“life-or-death” applications at thousands of the world’s 
largest hospitals. Caché is so reliable, it’s the leading 
database in healthcare — and it powers enterprise appli- 
cations in financial services, government and many 
other sectors. 

We are InterSystems, a specialist in data manage- 
ment technology for twenty-five years. We provide 
24x7 support to four million users in 88 countries. 
Caché is available for Windows, OpenVMS, Linux and 
major UNIX platforms — and it is deployed on systems 
ranging from two to over 10,000 simultaneous users. 


InterSystems A 


Ee. CACHE 


Make Applications Faster 


Read or request a copy of the Baroudi/Bloor white paper “The Failure of Relational Database, 
The rise of Object Technology and the Need for the Hybrid Database.” at www.InterSystems.com/cworld 
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FUTURE WATCH 
Computational Origami 


Some pioneering researchers in this new 


field believe the math behind paper fold 
ing could help decode the “bad” protein 
folds thought to cause diseases such as 


Alzheimer’s and mad cow. Page 26 


TECHNOLOGY 


SECURITY MANAGER’S JOURNAL 
Security Policy a Paper Tiger 
Despite explicit policies in Mathias 
Thurman’s company, problems with 
rogue access points and incident- 


response procedures haven't abat 


Page 28 


IKE MANY companies, for sev 
eral years Tripos Inc. has re- 
quired employees who work 
remotely to install a firewall 
ind antivirus software on the 
laptop or desktop PCs they 
use to connect to the corpo- 
rate network via VPN. 

But it wasn’t until about a 
year ago that the St. Louis-based drug 
research company adopted measures 
to enforce end-user compliance with 
those requirements. 

Technology from InfoExpress Inc. 
in Mountain View, Calif., helps Tripos 
monitor and audit all remote end-user 
systems to ensure that they have active 
firewalls and updated antivirus soft 
ware. Systems that don’t have both are 
automatically shut out of the Tripos 
network. 

Tripos is one of a growing number 
of companies turning to monitoring 
and auditing technologies such as 
those from InfoExpress to enforce pol 
icy compliance at vulnerable network 
endpoints. The tools, many of which 
require software agents to be installed 
on client devices, inspect systems for 
active firewalls, the latest antivirus sig- 
natures, secure configuration settings 
and unauthorized privilege escalation. 

The demand for such endpoint en 
forcement technologies is being driven 
by growing concerns that remote 
client dev could be compromised 
and used by attackers to gain entry 
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wanted t 
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> agent softw 
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mation on a variety of issues, such < 
the status irus software, fire 
walls, host intrusion-detection sys- 
tems, ° , patches and reg 
istry values 
The enforcement agent typically 
sits between the client and the corpo- 
rate gateway and audits this informa- 
tion for compliance with corporate 
policies. Systems that are compliant 
are allowed access to the network, 
while those that aren’t are either auto- 
matically blocked or redirected to a 
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quarantine site for fixes. In some 
cases, the tools can be used to bring 
an endpoint device into compliance, 
by turning on a firewall or download- 
ing the latest antivirus signatures, for 
instance. 

In other cases, the enforcement 
agent can send a message back to the 
user indicating the necessary remedial 
action, or it can provide restricted ac- 
cess to network resources until the 
system is brought into compliance. 

Meanwhile, the policy management 
server defines and manages the poli- 
cies that are enforced. 

Not all endpoint technologies need 
client-side agents. Some are server- 
based products that probe client de- 
vices for compliance when the user 
logs onto the network. Costs can range 
from $50 to $150 per user, depending 
on the level of enforcement. 


Target: Remote Workers 


Besides InfoExpress, other vendors in 


the field include Zone Labs Inc., Sygate 


Inc., Symantec Corp., Network Associ- 
ates Inc. and Trend Micro Inc. Net- 
working giant Cisco Systems Inc. en- 
tered the fray last fall when it launched 
a major endpoint compliance initiative 
called the Network Admission Control 
program (see box, right). 

Almost all the enforcement software 
that’s deployed is targeted at mobile 
and remotely connected systems, says 
Phil Schacter, an analyst at Midvale, 
Utah-based Burton Group. 

‘One of the biggest factors has been 
the endless onslaught of viruses and 
worms that potentially can be trans- 
mitted through open ports on any net- 
work-connected machine,” says James 
Demos, a security administrator at a 
major publishing house in New York. 

“The pace picked up last year and is 
unrelenting at this point,” he adds. 

Demos, who asked that his company 
not be named, is planning to deploy 
ZoneAlarm from San Francisco-based 
personal firewall vendor Zone Labs. 

The centrally managed security 
suite will allow Demos to enforce poli- 
cies related to the use of firewalls, 
antivirus software and configuration 
settings for all VPN-connected corpo- 
rate users. Unlike the company’s exist- 
ing personal firewall software, Zone- 
Alarm, which acts as a firewall in 
addition to monitoring compliance, 
can't be disabled by users who don’t 
have the administrative privilege to 
make system changes. In the event that 
someone does find a way to do so, a 
log of the change is made. 

“Once the software is deployed, it 
should be running. If it’s not, the user 





won't get in,” Demos says. 
The software can either 
block the user from the 
system automatically or 
alert administrators of a 
problem and leave 
enforcement to them. 

For some companies, such 
software does more than just 
protect against worms and viruses. 
For example, Terra Nova Trading LLC 
uses a combination of in-house tools 
and third-party software to monitor 
client systems for illegal chat and 
peer-to-peer software in addition to 
handling basic security functions, says 
Kevin Ott, vice president of technolo- 
gy at the Chicago-based financial ser- 
vices company. 

The third-party desktop manage- 
ment software, which Ott declines 
to name, allows Terra Nova to scour 
employee desktops for illegal appli- 
cations and shut them down before 
they’re launched. In addition to 
searching for specific file names and 
extensions, the software registers any 
new or unusual processes running on 
a user’s system to prevent users from 
circumventing policies by simply 


_ TECHNOLOGY — 


changing file names. 
“We ran into some 
technically savvy users 
who figured they could 
rename the executable. 
We were able to identify 
them” and shut down the 
software, Ott says. 
Sara Lee Coffee & Tea North 
America, a Harrison, N.Y.-based divi- 
sion of Sara Lee/DE, is using software 
from San Diego-based Websense Inc. 
not only to detect and automatically 
shut down any peer-to-peer or chat ap- 
plication but also to enforce quotas on 
the amount of time employees can 
spend on commercial Web sites during 
office hours. The idea is to give users 
the ability to browse commercial Web 
sites, but only for specific amounts of 
time, says Steven Annese, IT manager 
at the company. 

Such technologies can also help com- 
panies uncover security risks that might 
otherwise be missed, says Sygate user 
Jim Kirby, a network engineer at Wells’ 
Dairy Inc. in Le Mars, Iowa. 

It was only after the company in- 
stalled an enforcement component to 
its endpoint defenses that it discov- 


BATRA 


CISCO is using its position as the pre- 
eminent supplier of corporate network 
gear to enter the market for endpoint 
security enforcement technologies. 

Under the Network Admission Con- 
trol program it launched last fall, Cisco 
to develop products that will let compa- 
nies deny, permit, quarantine or restrict 
admission to networks, based on an 
end user's security status. 

Cisco's NAC technology is made up 
of multiple components, including the 
following: 

# A Cisco trust agent that sits on end- 
point systems and collects i ji 
on client security, such as the status of 
antivirus signatures and patch levels. 

@ Network access devices that en- 
force admission control based on the 
information provided to them by the 
trust agent. 

®A policy server that instructs net- 
work access devices on the appropriate 
policies that need to be applied. 

As part of its effort, Cisco has li- 
censed its trust agent technology to its 
NAC partners: Symantec, Network As- 
sociates and Trend Micro. The three 


vendors will integrate the Cisco soft- 
ware into their antivirus products. In ad- 
dition, Cisco will integrate its trust agent 
with its own Security Agent technology 
for checking the status of operating sys- 
tem patches. 

Cisco’s NAC technology, which is 
due to ship by June, will allow compa- 
nies to enforce endpoint security com- 
pliance without affecting performance 
for end users, claims Jeff Buton, a se- 
nior director of technology marketing at 
ihe company. 

Cisco's widespread presence in 
corporate networks makes its NAC 
effort worth watching, says Phil Schac- 
ter, an analyst at Burton Group. “Cisco 
has woken up the market to the value of 
such technologies in a big way,” he says. 

But the limited number of vendors 
that Cisco is currently partnering with 
has raised some concerns about it deliv- 
ering a “closed solution” to its customer 
base, Schacter says. For a technology 
such as NAC to be truly successful, a lot 
depends on the ease with which users 
are able to integrate it with their existing 
security technologies, he says. 

~ Jaikumar Vijayan 
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ered that firewalls on end-user devices 
were frequently being switched off — 
sometimes for unknown reasons, and 
sometimes because a user had re- 
imaged the system, Kirby says. 


Looking Closer to Home 


The increased focus on remote end- 


points is driving a trend toward the 
same kind of enforcement on locally 


| connected machines as well, says 


Frederick Felman, a vice president at 
Zone Labs. In such cases, the enforce- 
ment agent sits between the LAN 
switch and an authorization, account- 
ing and authentication server. It audits 
end-user systems for policy compli- 
ance before network access is granted, 
Felman says. 

“Most of our sales in the last two 
quarters have come from such users,” 
says Felman. 

But if you adopt measures to en- 
force policy compliance, you also 
have to have good mechanisms for 
remediation, says Stacey Lum, presi- 
dent of InfoExpress. Users who get 
locked out of a corporate network for 
failure to comply need to have a place 
to go where they can quickly bring 
their systems into compliance, or have 
a procedure for doing so themselves, 
Lum says. 

For instance, Tripos lets remote 
users connect directly to the Internet 
to download the patches and fixes they 
need in order to log onto the corporate 
VPN. The company’s InfoExpress soft- 
ware also lets Tripos push patches to 
remote users who have high-speed 
connections. 

Moreover, failure to properly explain 
the steps being taken to enforce end- 
point security can result in a lot of 
calls to the help desk, says Schacter. 

“When we first turned on the en- 
forcement, it wasn’t perfect,” Kirby 
says. “There was a little bit of an up- 
roar over it.” 

The key is to have policies that give 
users reasonable ways to fix problems 
Schacter says. 

“You need to be able to get the fix 
down to the desktop in some reason- 
able series of steps so that the user 
can try again and be let in,” Schacter 
says. “If you make things too difficult 
for the end user, there is going to be 
so much push-back that you may not 
be able to deploy these technologies.” 
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PRODUCTS AND VENDORS 


For a listing of vendors who offer endpoint compliance 
software, visit our Web site: 


eg QuickLink 46496 
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OES EVERY SINGLE EMPLOYEE HAVE 

HIS OWN PORTAL? That’s how it 

sometimes appears to frustrated 

IT managers seeking to streamline 

their infrastructures. 

In the past several years, many 

enterprises have seen portals — or 
tiny intranet sites that users think of as portals — 
spring up like dandelions. Frequently created by an 
enthusiastic power user with little or no IT over- 
sight, portals may belong to a satellite office, a de- 
partment or a functional group of employees (such 
as salespeople). They may be little more than a wel- 
come screen and a half-dozen links, or they may be 
true transactional sites used by customers and trad- 
ing partners. 

Today, businesses are waking up to the fact that 
portal proliferation is a potentially expensive mess at 
best and a disaster waiting to happen at worst. As a 
Gartner Inc. report in October 2003 put it, “Many en- 
terprises — instead of easily reaping rewards from 
their portal implementations — find themselves 
dealing with a jungle of multiple portals that com- 
pete for the same resources and audiences.” 

The resulting expense is difficult to track, because 
small portals are scattered across geographic regions 
and lines of business. “You want to save money even- 
tually [by consolidating portals], sure,” says Steve El- 
lis, executive vice president at Wells Fargo & Co.’s 
Wholesale Services division. “But it’s almost as im- 
portant just to understand where that part of your 
spend is going.” 

Tracking content on unauthorized and unsuper- 
vised portals is essentially impossible, a circum- 
stance that sets the scene for disaster, given today’s 
strict accountability regulations. Laws such as the 
Sarbanes-Oxley Act require enterprises to monitor 
and control all outward-facing communication. 

Organizations seeking to consolidate portals are 
soon confronted with a number of thorny technology 
issues. “Each [existing] portal has different tool sets, 
languages and approaches to content and applica- 
tions,” says Frank Torbey, a consultant at Tandem- 
Seven Inc., a Plymouth, Mass.-based firm that helps 
large businesses build portals. Log-on and user- 
identity features may also be handled differently, 
he adds. 

Today, businesses typically have separate portals for 
employees in general, the sales force, customer ser- 
vice and perhaps suppliers. Each portal must access 
data from a range of applications (human resources, 
payroll, CRM, ERP, supply chain management, ac- 
counting and purchasing) and then add a presentation 
layer. When a company considers consolidation, IT’s 
challenge is to rationalize existing portals into one 
system that addresses the data, functionality, person- 
alization and authentication needs of all users. 

The good news for IT managers is that there are 
more tools available for portal consolidation than 
there were a few years ago. Longtime portal special- 
ists such as San Francisco-based Plumtree Software 
Inc. and Austin-based Vignette Corp. are facing com- 
petition from nearly every major vendor of enter- 
prise software. 

This widespread availability of portal software has 
altered the purchase decision landscape, according to 
Torbey. “Many of our clients started their portals with 
a Plumtree or a Vignette,” he says. “But if that company 


Wells Fargo’s existing investment in BEA technology led the company to pick the vendor again for portal consolidation, says 
Steve Ellis, executive vice president at Wells Fargo’s Wholesale Services division. 


By Steve Ulfelder 
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is a heavy SAP user and now they see SAP has a strong 
portal offering, do they migrate [all their portals] to 
SAP?” Torbey says many TandemSeven clients face a 
similar decision if their company is heavily invested in 
IBM, PeopleSoft Inc., Oracle Corp. or Microsoft 
Corp. applications. 

Ellis says Wells Fargo’s investment in BEA Systems 
Inc.’s enterprise software played a major role in the 
San Francisco-based company’s decision to use 
BEA’s WebLogic Portal to create a consolidated por- 
tal for employees. “We already used BEA for applica- 
tion servers, and that connection was important be- 
cause it simplified pulling data and workflow out of 
[existing applications],” he says. 

A few years ago, businesses seeking to implement 


portals were likely to perform a “runoff” among lead- | 


ing portal-software specialists. Today, Torbey says, 
the choice is different: A large company is likely to 
be a customer of at least a few vendors that now of- 
fer portal tools, so the question is, which one does 
the company migrate to? 

If that seems like an easier choice, think again. In 
late 2001, Whirlpool Corp. in Benton Harbor, Mich., 
decided to streamline its portals picture. 

“We had a lot of Web sites that people called por- 
tals — less than 50 — but we were headed down that 
[proliferation] path,” says Gil Urban, Whirlpool’s in- 
formation systems director. Various Whirlpool facto- 
ries, regional offices and business units had each 
thrown together Web sites or portals. 

Initially, the manufacturing giant leaned toward 
Plumtree’s portal software, which Urban describes as 
“the leader at the time.” But Whirlpool’s goals ex- 
panded when the company decided to develop a por- 


tal for all 15,000 of its employees. “We’re a heavy IBM 


user with lots of IBM infrastructure,” Urban says. As 
a result, Whirlpool opted to use IBM’s WebSphere 
Portal, even though he thought some competitors’ 
products were superior at the time. 

“In 2001, it was a good product, but not best in 
class,” Urban says. “But we thought that in the future 
it would be the best, and now it is.” 

Here’s where things get complicated, though, not 
just for Whirlpool but potentially for other large 
businesses: The manufacturer is also a major user of 
SAP enterprise applications. When Whirlpool select- 
ed IBM, SAP’s NetWeaver portal product wasn’t yet 
available. Now that it is, Whirlpool is implementing a 
split strategy that will tack an SAP front end onto 
WebSphere Portal for the 2,000 or so employees ac- 
customed to working with SAP. “Those 2,000 will 
have an SAP interface to the operational side,” Urban 
says. “But for standard employee services, they’ll be 
on MyWhirlpool,” the company’s IBM-based portal. 


Content Management 


When companies start to consolidate portals, one of 
the big headaches they run into is scattershot con- 
tent updating. Depending on the enthusiasm and ex- 
pertise of employees, some departments diligently 
update their portals or Web pages — while others 
may lag behind by months or even years. 

That was the case when the nation of Bermuda un- 
dertook a project to convert its 38 departmental por- 
tals and Web sites into a single portal that would 
serve citizens, businesses, tourists and government 
workers. Bermuda’s government considered more 
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| than a dozen vendors before settling on Plumtree. 


According to Nigel Hickson, Bermuda’s e-commerce 
chief, content management and related workflow 
were key Plumtree differentiators. 

Bermuda plans to designate a content maintainer 
in each government agency, then train agency work- 


| ers to fill out templates provided in Plumtree Con- 


tent Server. IT has created standardized portlet tem- 
plates so content maintainers don’t have to worry 
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about issues such as formatting. For example, when 
an e-mail address or phone number changes, the 
maintainer simply calls up a “Contact Us” portlet, 
keys in the new data and saves. 

Like many other organizations, Bermuda’s govern- 


| ment early on decided to blow up its existing portals 
| and Web sites and rebuild from scratch. Hickson says 
| that in the long run, this involved less work and 


made for a cleaner final product than would have 


| been possible through integration. 


What happens next varies by agency — that’s 
the flexibility Hickson likes. “In the Department of 


| E-commerce, it’s just me,” he says. “So the approval 





process, such as it is, consists of me checking my 


| spelling.” In a larger agency with a more defined 
| workflow, the people who need to sign off ona 


change are automatically notified that the content 


| maintainer has made one. 


Getting a grasp on the myriad Web, intranet and 


| portal sites that most businesses have is a task more 
| and more IT managers are facing. But much of the 


work is just a matter of excising unneeded content — 
Ellis says Wells Fargo turned 10,000 pages of content 
into 2,000 — and a variety of applications automate 


| significant parts of the process. 


The taxonomy products offered by portal vendors 
can help with this consolidation. Taxonomy tools use 
Web services to scan other data sources, such as Web 


pages, for new or deleted content, thus automatically 
| updating an enterprise portal directory. Without 


| such a directory, the applications and content in the 
| portal can result in sprawl. 


Wells Fargo uses BEA’s taxonomy tools to ensure 


| that data from outside sources remains pertinent and 


up to date, Ellis says. And delivering fresh, useful in- 


| formation is the goal of any portal project. @ 46449 


Ulfelder is a Computerworld contributing writer 


| in Southboro, Mass. He can be reached at 
| sulfelder@charter.net. 


Setting the Standards 


Two evolving standards could help make portal consolida- 
tion easier for companies by letting developers write inter- 
changeable components, called portlets, in any language 
and environment they choose: 
@ Web Services Remote Portlet (WSRP). This standard 
was approved last Septernber by OASIS, the Organization 
for the Advancement of Structured Information Standards. 
The idea is to allow portals to use Web services technol- 
ogy to invoke various content sources. WSRP backers say 
widespread adoption of the standard will free enterprises 
of the need to either host a content source at the location 
of the portal server or to write new code for each remote 
content source. instead, developers would write portiets in 
the environment of their choosing. 

WSRP enjoys the support of virtually every vendor in 
the portal arena. 
@ JSR 168. This specification is intended to enable inter- 
operability between portlets and portals. The name refers 
to the number of the Java Specification Request created 
by the Java Community Process, a group of Java develop- 


ers and licensees. JSR 168 will define a set of application 
programming interfaces for portals, addressing aggrega- 
So far, the standards have received mixed reviews. 
“There's certainly a market need for standards in this field, 
because portal deployments are expensive and require 
specialized skills,” says Ray Valdes, an analyst at Stam- 
ford, Conri.-based Gartner. 

However, Valdes describes the first versions of WSRP 
and JSR 168 as “underpowered.” He adds, “It’s not quite 
accurate to say they were too little, too late - but they took 
a long time to arrive and weren't as valuable as people had 
been hoping.” 

However, OASIS and the Java Community Process 
are already working on stouter versions of WSRP and 
JSR 168. And because each standard enjoys unusually 
broad vendor support, they are expected to take hold in 
the next 18 months and make it significantly easier for IT 
organizations to write portal components. 

~ Steve Uifelder 
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OBERT LANG, a laser 
physicist and origami 
artist for more than 
30 years, continues to 
be amazed at the po- 
tential applications of the cen- 
turies-old art of paper folding. 
“You would think that there is 
not much you can do with 
origami as an art form that has | 
not been already fig- 
ured out,” he says. 
But, Lang adds, 
origami artists contin- 
ue to “demonstrate 
new structures and realize 
new levels of beauty,” a state- | 
ment well supported by his | 
own origami renderings of 
subjects such as cows, fish, 
blue herons and owls. 
Origami was purely a hobby 
for Lang until he decided to 


| 
| 
| 
| 


| 
| 
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ee 


apply the kind of mathematical 
modeling he used in laser 
physics to paper folding. 

Lang, who is based in 
Alamo, Calif., now considers 
himself a full-time artist. He 
says computational origami 
helped him automate the 
process by which he deter- 
mined how to make the pre- 
cise kinds of folds 
needed to produce a 
multilegged insect and 
its antennae. 

After he did that, he 
realized that the theory and 
equations he developed to 
make better origami figures 
could also be applied to engi- 
neering problems in which a 
large surface needs to be fold- 
ed to fit into a flat space with- 
out cutting. 





Ancient art finds industrial, 
medical uses. By Bob Brewin 


Today, while concentrating 
on his art, Lang also works as 
an industrial consultant, ap- 
plying his computational 
origami expertise to the de- 
sign of a range of products, in- 
cluding consumer electronics 
and medical equipment. 


From Birds to Air Bags 
EASi Engineering GmbH in 
Alzenau, Germany, asked Lang 
to help determine how to 
squeeze a very large object — 
an automobile air bag — into a 
tiny compartment inside a 
steering wheel. Lang had al- 
ready developed algorithms to 
flatten a set of polygons, and 
he applied them to a computer 
simulation of how to flatten 
the 3-D polyhedron shape of 


| an inflated air bag. This proc- 
| ess saved time and eliminated 


the expensive requirement of 
crashing real cars to deter- 
mine if an air-bag design 
would really work, Lang says. 

The air-bag design was 
based on an algorithm Lang 
calls the “universal molecule,” 
which flattens a set of poly- 
gons so their edges remain 
aligned to one another. 

Lang sees a definite future 
for computational origami in 


| engineering and design work, 
| but he acknowledges that the 


field is relatively esoteric and 
requires artistic as well as 
computational, mathematical 
and engineering skills. 

“You have to be able to fold 
paper” before proceeding to 
computational origami, he says. 

Lang developed software 
called TreeMaker that runs on 
Apple Macintosh computers 
and helps automate origami 
design. The program, which 








Lang said can be mastered by 


| a high school student, helps 


users figure out how to fold a 


| square into a number shapes. 


A user outlines a figure on the 


| TreeMaker screen, and the 


software determines the num- 
ber of flaps required to make 
that particular shape. 

If users want to create ad- 
vanced designs (such as that 


| of an air bag), they can down- 


load additional algorithms 
from the Treemaker Web site 
(http://origami.kvi.nl/ 


| programs/treemaker/). 


But Lang says only 100 or so 


| people have downloaded the 

| software, and only about five 

| or 10 are using it, another indi- 
| cation that the field of compu- 
| tational origami is still in its 
early stages. 


Bad Folds 


Erik Demaine, a 22-year-old 
professor of electrical engi- 
neering and computer science 


at MIT, started folding paper 


at age 6 and developed that 
hobby into the study of the 
mathematics of folded forms. 
Demaine now studies folds 
in proteins, the basic building 
blocks of life. He believes that 


| computational origami could 


fight diseases that are current- 
ly incurable, such as mad cow 
disease, which are caused by 
proteins that have what he 
calls “bad folds.” 

Demaine, a 2003 winner of a 
MacArthur Foundation Fel- 
lowship — commonly known 
as “genius” grant — calls pro- 
tein folding his “main area of 
interest” and says he plans to 
apply what he learned from 
paper folding to figure out 
why some proteins fold into a 
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useful shape and others do 
not. That research could even- 
tually lead to the design of 
custom proteins that fight dis- 
ease. The custom proteins 
could then be unleashed to de- 
stroy “bad” proteins. 

Ajay Royyuru, manager of 
the computational center at 
IBM Research in Yorktown, 
NY., agrees that determining 
the way various proteins twist 
and fold could help provide 
cures for diseases such as 
Alzheimer’s and cystic fibrosis. 

Computational origami 
could help scientists crack 
some basic secrets of protein 
structure and sequence, Roy- 
yuru says. The technology 
could help scientists deter- 


| mine why a protein falls into a 


specific shape “and why that 
shape and nothing else.” High- 
speed computers can be used 
to develop “fold recognition” 
software and help simulate 
folding patterns, Royyuru says. 
But determining what he 
refers to as “correct” and “in- 
correct” protein folds by mod- 
eling them with computation- 
al origami is a daunting task, 
he says, requiring computers 
two to three times more pow- 
erful than the most powerful 
supercomputer in existence. 
That power can be deliv- 
ered only by a computer oper- 
ating at a quadrillion opera- 


| tions per second (1 petaflop, 


or 1,000 teraflops), and IBM is 


| developing such a computer 


as part of its Blue Gene proj- 


| ect. IBM says it will have a 


machine capable of 360 tera- 
flops by 2005, but Royyuru 
says advancing to a petaflop- 
speed machine will be “quite a 
jump,” and he can’t predict 
when a computer like that will 
be available. 

Even after such a machine is 
delivered, it could still take 
decades to unravel the myster- 
ies of protein folds, Royyuru 
says. But perhaps that effort 
will be aided by science that 
harkens back to techniques 
used to create elegant paper 


birds. @ 46430 


MORE ONLINE 


Computational origami goes to the fair 
Read about it online: 


QuickLink 46687 
www.computerworld.com 
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Security Policy 
A Paper Tiger 


Ignored security policies result in problems 
ranging from rogue access points to inade- 
quate incident response. By Mathias Thurman 


FACED TWO ISSUES this 

week, and both came about 

as a result of security poli- 

cies that have been rou- 
tinely ignored. The first had 
to do with our wireless LAN 
infrastructure. 

Although I work out of the 
main data center, I frequently 
travel to the corporate head- 
quarters campus. On those oc- 
casions, I often use my iPaq 
Pocket PC and AirMagnet 
Inc.'s software to scan 
for rogue access 
points on the WLAN. 
The installation of 
unauthorized APs has 
been a continuing 
problem, so when I 
detected one the oth- 
er day, I wasn’t surprised. 

This AP registered a signal 
strength of about 70% — 
strong enough to lead me to 
believe that it wasn’t transmit- 
ting from outside of my com- 
pany’s offices. Indeed, I was 
able to associate to the AP, 
open a browser window and 
get to the corporate intranet. 
The device had no encryption 
enabled, it was broadcasting 
the Service Set Identifier 
code, and the AP gave my de- 
vice an IP address that wasn’t 
within our corporate address 
range. 

I called the network engi- 
neering group and gave it my 
device’s media access control 
address and location, thinking 
that they could log into the 
switch that was serving the lo- 
cation, look up my MAC ad- 
dress, identify the port and 
trace it to a specific wall jack. 
In the past, I’ve successfully 
identified rogue APs in this 
manner. 

However, in this instance, 
the group wasn’t able to find 
my MAC address. I even had 
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the network engineer check 
some nearby switches, but no 
| luck. Then IJ tried using Air- 
| Magnet’s Find utility, which 
| works as a signal-strength me- 
ter to help locate the AP. I’ve 

| gotten close in the past using 
this method, but it still re- 

| quires that I peek into employ- 
ee offices, conference rooms, 

| break areas and so on, to visu- 
ally locate the AP. In the 

| process, employees have got- 

ten upset with me 

and started com- 

plaining. 

This time, how- 
ever, it worked like 
a charm. I could 
see the AP sitting 
right on top of an 

employee’s monitor. 

The device was a WLAN 
router, which explains why my 
MAC address didn’t show up 
on the switch port. Because 
this AP functioned as a router, 
not a hub, the MAC address 
wouldn’t have registered on 
the switch. The employee 
wasn't in, so I had the facilities 
department open his office. I 

| then unplugged the AP and 
| left a note indicating why I 
| had disconnected it. 
Later, the employee said he 


The installation of 
unauthorized APs 
has been a continu- 
| ing problem, so 
when I detected one 
the other day, 
| wasn’t surprised. 


| 
| 
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had installed the AP because 
his boss “said it would be OK.” 
Neither of them had read the 
network access policy on our 

| intranet, which prohibits 
unauthorized network-access 


the corporate network. Appar- 
ently, our policy awareness 
training still isn’t working. I 
sent him a note with a Web 
link to the policy. 


Something in Common 


math of a SQL Slammer out- 
break, a manager proposed 
that my small group take 

on incident-handling and re- 

| mediation issues — a task that 
other departments take care 

| of today and that we're not 
equipped to do [QuickLink 
46060]. 

I researched how we can do 
a better job and discovered 
| that IT security isn’t the only 
| group with a written incident- 

handling policy. The data cen- 
| ter operations group has its 
| own, 20-page guide, and the 
| networking group has some- 
| thing similar. Each contains 
| relevant information with re- 
| spect to incident-handling 
best practices, but each is de- 
partment-specific. What’s 
even more disturbing, how- 
ever, is that no one uses these 
documents. They just sit in a 
| binder on a bookshelf or in 
electronic form in a shared 
disk space available only to 
members of each department. 

To rectify that, I wrote a 
single-page incident-protocol 
document that outlines the 
| main steps all departments 
should take when responding 
to an incident. My goal was to 
create something that could 
be printed on a small refer- 
ence card and placed next to 
the telephone contact list, se- 
| curity badge and SecurID to- 
| ken that most operations em- 
ployees carry around. I fo- 
| cused on four areas: prepara- 
| tion, identification, response 
and containment. 

Preparation deals with 
knowing whom to call when 
an incident occurs. Identifica- 
tion addresses how to identify 
and classify an event to avoid 
false positives. Response dic- 
tates the actions to take when 








devices from being attached to 


| 
| 
| 
| 





A few weeks back, in the after- | 


an incident has occurred, and 
containment deals with how 
to keep the incident from 


| doing more damage or contin- 
| uing to affect the network. 


For example, containment 
might involve disabling a 
switch port or implementing 


| access control lists on a router. | 


I want the reference card to 
help workers become more ef- 
ficient at handling incidents in 


| atimely manner. Eventually, 


we'll create a formal crisis- 
action team and run simula- 
tions for training. 

Although we're getting bet- 


ter at responding to incidents, 


common problems arise. One 
is that no one wants to take 
charge. There are always lots 


| of managers, directors, engi- 


neers and analysts standing 
around the operations center, 
looking at logs, e-mail and 


| other tools and forming opin- 


ions. But no one is calling the 


| shots. Eventually, someone 


steps up to the plate. 
Another problem is that 


| there is always confusion as to 
| who should conduct certain 
activities. For example, a com- 


mon and easy way to identify 


| a Windows resource on an en- 





terprise network is to enter 
the nbtstat-A command. In 
our desktop and production 
server environment, this com- 


| mand will typically identify 


the user or system name of the 
machine. 

For some reason, there’s al- 
ways a question regarding 


| who should issue the com- 
| mand. I don’t quite under- 


stand why, as it’s a task that 


| takes only a few seconds to 


complete. Hopefully, by creat- 
ing a common incident- 
response protocol and ensur- 
ing that everyone is on the 
same page, our responses to all 
events will become standard- 


| ized, and incident manage- 


ment will become a routine 


| aspect of doing business. D 


| WHAT DO YOU THINK? 


| This week's journal is written by a real securi- 


ty manager, “Mathias Thurman,” whose 
name and employer have been disguised for 
obvious reasons. Contact him at mathias_ 


| thurman@yahoo.com, or join the discussion 


| 


in our forum: QuickLink a1590 

To find a complete archive of our 
Security Manager's Journals, go online to 
@ computerworld.com/secjournal 
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Security Bookshelf 
§ Digital Evidence and Com- 
puter Crime, Second Edition, 
by Eoghan Casey; 

Academic Press, 

2004. 


This behemoth of a 
book offers more 
than 680 pages of 
useful information 
on digital forensics 
and computer crime. 
There’s something 
for everyone - law enforce- 
ment agencies that collect and 
process evidence, forensic an- 
alysts, lawyers and other infor- 
mation security professionals. 
The author starts out with a 
good overview of the history, 
law and general process sur- 
rounding forensics and com- 


DIGITAL EVIDENCE ~ 
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Need Answers to Your 


Business Intelligence Questions? 
Apply to Attend Computerworld’s IT Executive Summit 


on Business Intelligence 


If you’re an IT executive* in an 
end-user organization, apply to 
attend one of Computerworld’s 
upcoming complimentary one-day 
summits on 


Neither a product nor a system, 
Business Intelligence (Bl) is 

an architecture — a collection of 
interrelated operational and 
business performance measurement 
applications and databases. 


The only way to succeed with Bl 
applications is to understand their 
complexity, their cross-organizational 
nature, the needs of knowledge : 
workers, your competition, your 
market, and customer trends. 


This summit will give you a 
comprehensive, one-day overview — 
and will arm you with the latest 
thinking and tools to make the 

right investments in BI. 


*Complimentary registration 
is restricted to qualified 
IT executives only. 


Off to See the Data Wizard: Reporting from the Yellow Brick Road 
User Case Study 


Business Intelligence in Action at NASD 


Evolving the Enterprise: Leveraging Information for Competitive Gain 


Industry Analyst Perspective: 
The IT Bottom Line: Proving the Value Delivered 


Panel Discussion: 


Creating the Transparent Organization: New Roles for Business Intelligence 
with Corporate Customers, Suppliers and Government Regulators 
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Panel Discussion: 

Creating the Transparent Organization: New Roles for Business Intelligence 
with Corporate Customers, Suppliers and Government Regulators 


ply tor registration toa 


For more information or to apply, visit 


Exclusively sponsored by: 


9s8as 


.>. | COMPUTERWORLD 


intel 


ye 
=i} db. 
Maryfran Johnson 
Editor in Ch 

Com 


Lm 


aputerworld 
puterworld 


- 
— 

= J 
Martin Colburn 
EVP and CTO 


National Association 


»f Securities Dealers 


Jim Davis 
SVP 


SAS 


=A 


William Farrow 
CIO and EVP 
Chicago Board 

of Trade 


y 


Julia King 
National 
Correspondent 
Computerworld 


> | TT EXECUTIVE SUMMIT 


BUSINESS INTELLIGENCE 





30 computerworio way 10, 2004 


Voyence Launches 


Networking System | 


Voyence Inc. last week an- 
nounced its Voyence Guaranteed 
Success software, which is in- 
tended for configuration manage- 
ment of heterogeneous networks 
of all sizes. Voyence Guaranteed 
Success must run with the 
VoyenceControl appliance for full 


network design, change and com- | 


pliance management capabilities, 
according to the Richardson, 
Texas-based company. Voyence 
Guaranteed Success starts at 
$15,995 for support of up to 100 
devices and is available now. That 


price includes the VoyenceControl | 


appliance, as well as training and 
certification. 


Exact Upgrades 
Collaboration App 


Exact Software North America 
announced that it has added fea- 


tures to its Exact e-Synergy Web- | 


based collaboration application 
that will allow users to perform 
portal-based online cataloging, 
order entry and order manage- 
ment tasks. The new features, 
called Web Shop, are designed to 
integrate with e-Synergy and the 
company’s Macola Enterprise 
Suite, which automatically re- 


ceives and processes orders, said | 


Andover, Mass.-based Exact 

Software. Web Shop is available 
now as part of e-Synergy and is 
priced at about $1,000 per user. 


Apreo Releases 
Enforcement Tool 


Apreo Inc. has launched Work- 
station PolicyShield, an applica- 
tion that’s designed to manage 
and enforce appropriate use of 
files and software by workers. 
Workstation PolicyShield detects 
spyware, peer-to-peer programs, 
games and other unapproved files 
at the moment they are written to 
the network, rather than after 
they are installed, said the New- 
port Beach, Calif.-based enter- 
prise software vendor. Pricing 

for the application starts at 

$945 for 100 users. 





TECHNOLOGY 


Livin 
low 


NICHOLAS PETRELEY 


RECENTLY SPENT the better part of a week 
working with the latest version of the open- 
source GNOME graphical desktop environment 


on Linux. 


I’ve decided that the only way to explain the 
regression of GNOME over the years is that Microsoft 
and/or SCO moles have infiltrated the GNOME leader- 
ship in a covert effort to destroy any possibility that 
Linux could compete with Windows on the desktop. 


To paraphrase the hu- 

morist Peter Schickele, 

who was describing what it 

was like to discover a new 

music manuscript by the 

(fictional) inept composer 

P.D.Q. Bach, “Each time I 

get a new version of 

GNOME, there’s this feel- 

ing of anticipation and ex- 

hilaration — a feeling that 

this new version of 

GNOME can’t possibly 

turn out to be as bad as the 

last one. But so far, each new version 
lives down to the same low standards 
set by the previous one.” 

By the time a software project gets 
to Version 2.6, a user might reasonably 
expect that he wouldn’t have to adapt 
to yet another paradigm shift in basic 
user-interface design, especially when 
it comes to something as fundamental 
as how you navigate through desktop 
folders. Yet this is precisely what users 
will have to relearn with this latest 
version of GNOME. 

The GNOME file manager, Nautilus, 
no longer allows users to navigate 
through folders as one might use a 
Web browser or Windows Explorer. 
You no longer browse with all your op- 
tions accessible in a single window or 
a split window with a directory tree on 
the left and icons on the right. Instead, 





each double-click on a 
folder icon opens a new 
window on the screen. If 
this sounds familiar, it’s be- 
cause this was the default 
behavior of Windows 95, 
OS/2 and early versions of 
Mac OS. The fact that this 
isn’t the default behavior 
of any mature desktop op- 
erating system might have 
served as a warning sign to 
GNOME '’s developers, but 
never mind that. 
Having used OS/2 for years, I found 
GNOME '’s retro approach to be a 
rather pleasantly nostalgic experience. 


| But now that I’m used to navigating 


folders the way one does on virtually 
every other desktop, however, I decid- 
ed to tell the file manager not to open 
a new window for every folder. But it 
turns out there is no preference set- 
ting that tells Nautilus to use a single 
window to browse folders. 

The only way to change the default 
behavior of Nautilus is to set an ob- 
scure registry key via the command 
line or the registry editor. Not even 
that abomination of operating systems, 
Windows 95, made users retreat to the 
registry editor to use a single window 
to navigate folders. I can only assume 
that the GNOME developers decided 
to make Nautilus a worse Windows 
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Down toa 
Standard 


than Windows. I toast their rousing 
success. 

Granted, there are myriad unintu- 
itive keystrokes and shift-key/mouse- 
click operations you can use to make it 
easier to navigate folders, all of which 
will mean squat to the daft simpletons 
the GNOME developers say they are 
targeting as their users. But GNOME 
developers have long since abandoned 
logic when defending their design 
choices. For example, one GNOME de- 
veloper says there’s a good reason why 
users can’t change individual colors in 
desktop themes: Someone might acci- 
dentally make both the text and back- 
ground white, thus rendering the text 
unreadable. 

Of course, this flaw has nothing to 
do with the inflexibility of the primi- 
tive graphical tool kit upon which 
GNOME was based. It was deliberate- 
ly designed to protect users who are 
invariably too incompetent to pick 
their own colors but are smart enough 
to memorize shift-clicks and key- 
strokes or edit the registry to get Nau- 
tilus to work the way they like. 

Of all the criticisms one might lodge 
against GNOME, it’s the hypocrisy of 
its design philosophy that looms 
largest. GNOME grew out of the de- 
sire to free people from Microsoft’s 
ability to dictate what users can or 
can’t do. Yet GNOME is built on the 
premise that its developers are so 
much wiser than users when it comes 
to navigating folders and setting colors 
that GNOME users shouldn’t have a 
choice in the matter. With an attitude 
like that, heaven help us if GNOME 
turns out to be the only defense Linux 
has on the desktop against a Microsoft 
hegemony. @ 46629 
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MANAGEMENT 


Managing IT Risk at Delta 
Delta Technologies uses a 
rigorous but simple scorecard 
to balance the risk of technology 
failure against the costs of 
upgrading. Page 34 


OPINION 


Risk/Reward Contracts: 

Laying the Foundations 

Bart Perkins explains how to manage this 
type of contract to maximize the rewards 
while minimizing the risks. Page 37 


Career Watch 

Mary Finlay, deputy CIO at Partners 
HealthCare, talks about the Regional 
Leadership Forum and soft skills. 
Plus, tips for managing conflict in 
the IT workplace. Page 36 


UTURES, surgical instruments 

and other medical supplies 

typically account for a hefty 

25% of a hospital’s operating 

budget. Add labor and logistics 

costs, and the total jumps to 
35% to 40%, according to the Health- 
care Financial Management Associa- 
tion, an industry professional organiza- 
tion in Westchester, Ill. 


Yet compared with other industries, 
| like high tech, auto manufacturing and 
| consumer packaged goods, health care 

— and hospitals in particular — is 
| downright dinosaurian when it comes 
| to deploying IT to better manage the 
| supply chain. 
Experts recite a litany of explana- 
| tions, including drum-tight budgets 
| and a sort of institutionalized accep- 
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tance of labor-intensive manual 
materials-management processes. 
“Hospitals and clinics tend to want 
to focus the dollars they have on pa- 
tient care. They’re not going to chan- 
nel their capital budget into supply 
chain,” says David Youndt, chief oper- 


ating officer at Hospital Logistics Inc., 


a for-profit hospital supply and logis- 
tics company launched by University 


their prognosis. By Julia King 


Health Network in Toronto. 

Given hospitals’ primary clinical 
mission, supply chain excellence is 
typically undervalued by top manage- 
ment, say many in the industry. 

“The prevailing thinking is that ma- 
terials management are those people 
we can just keep down in the base- 
ment,” says Sara Friesen, former direc- 
tor of supply chain at Sunnybrook and 
Women’s Hospital in Toronto. Now, 
Friesen is general manager of Shared 
Healthcare Supply Services, also in 
Toronto. 

In the U.S., as in Canada, the hospital 
industry remains highly fragmented, 
which has stymied the development of 
standards for naming, describing, or- 
dering and paying for the tens of thou- 
sands of products that hospitals use. 
With more than 5,000 hospitals and 
health care systems in the U.S., no sin- 
gle organization is large or powerful 
enough to dictate how the supply chain 
works, as Wal-Mart does in the retail 
sector, says Lee Marston, CIO at Broad- 
lane Inc., a health care software and 
services company in San Francisco. 

Also, very few hospitals have a sin- 
gle, integrated computer system for or- 
dering, tracking and paying for sup- 
plies. The upshot is that physicians 
and other clinicians regularly buy the 
brands they prefer rather than items a 
hospital may have contracted for at a 
discounted price. 

Broadlane conducted a yearlong 
analysis of all of the supplies purchased 
at one of its multihospital clients. It 
found that the chain had spent more 
than eight times what it would have 
spent had its clinicians all purchased 
the same supplies at the lowest con- 
tracted price. “You find out millions 
could be saved if everyone got together 
and paid the same price,” Marston says. 

The problem is that most hospitals 


CSS 
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lack integrated computer systems and 
therefore don’t have easy access to that 
kind of detailed data. 

And it’s only getting worse as the in- 
dustry consolidates and hospitals face 
the onerous task of integrating their 
computer systems with those of the fa- 
cilities they acquire. 

Meanwhile, the cost of these com- 
bined supply chain inefficiencies is 
staggering, says Albert Pang, an analyst 
at market research firm IDC. Hun- 
dreds of millions, if not billions, of dol- 
lars are left stranded throughout the 
hospital supply chain in the absence of 
common computing platforms, stan- 
dard product descriptions and accu- 
rate contract pricing data. 

Change is coming, but very slowly. 
Industry groups are working on prod- 
uct data standards, and physicians are_ | 
slowly but surely coming to appreciate 
the efficiencies of technology, such as 
wireless handheld devices used to 
electronically write and transmit pre- 
scriptions. For now, though, few hospi- 
tals have seriously tackled supply 
chain issues. Here’s a look at two that 
have, using very different strategies. 





\llina Hospitals 
& Clinics 
MINNEAPOLIS 


With 1 hospitals and 43 clinics in Min- 
nesota and Wisconsin, $1.8 billion Alli- 
na is a textbook example of a hospital 
system that grew by merger and acqui- 
sition. In 1999, each of the facilities had 
relatively good materials management 
practices in place, but they were run- 
ning on no fewer than six legacy com- 
puter systems in which procurement 
and payment data was not automatical- | 
ly integrated with the accounting sys- 
tem. The Y2k remediation effort gave 
Allina an opportunity to implement a 
common computing platform for its 
highly fragmented materials manage- 
ment operation, says Scott Grove, di- 
rector of IT. 

Allina implemented Lawson Soft- 
ware Inc.’s materials management and 
financial applications as well as its 
contract-pricing application, which 
keeps track of the ever-changing prices | 
of the thousands of products Allina has 
negotiated under contract with various | 
suppliers. By early 2000, the system 
had gone live, giving hospital adminis- 
trators their first glimpse of overall 
materials purchasing activity. | 

| 


“With a common system, we finally 
had a stadium to play the supply chain 
game in,” says Grove. “We spent a lot 


_ MANAGEMENT 


In 2003, the health care 
industry wasted more tha 
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of time mining transaction data to 
come up with good usable [purchas- 
ing] information,” which pinpointed 
where off-contract buys were being 
made. In the first year, the system 


| determined that only 50% of Allina’s 


purchases were on contract. 

“Large hospitals buy a lot of stuff 
they want quickly off of contract,” 
Grove says, and the hospital ends up 
paying a premium on those orders. 

In January 2003, Allina set a goal to 
bump up contract purchases of sup- 
plies to 70%, something that Grove 
says is possible only with “very, very 
clean data and very targeted informa- 
tion.” One of the key tasks for IT, 
which worked with the hospital’s con- 
tract administration group, was keep- 
ing contract and pricing data current 
and accurate, Grove says. 

Every month, the contracts adminis- 
tration group combs through purchas- 
ing reports to determine which buys 
were made on and off contract, tracing 


| transactions down to departments and 
| individual buyers. They learned that 


“if you’ve got very targeted informa- 
tion and a few people making a lot of 


the impact, you can change the num- 


FIRST, THE GOOD NEWS: Business-to- 
business health care exchanges, medical 
distributors and manufacturers of health 
care products all are leveraging IT to 
streamline hospital supply chains. 

Now, the bad news: There's little, if 
Health care has no one gatekeeper. 
There are hundreds of thousands of prod- 
ucts, ever-changing contracts, multitiered 
price structures based on purchase vol- 
umes and no single set of standards for 
naming, describing or buying and selling 


bers very quickly,” Grove says. 

Between February and November 
2002, spending on supplies dropped 
from 13.2% to 12.8% of net patient ser- 
vices revenue, but that small change 
netted between $4 million and $4.5 
million, Grove notes. Allina also 
reached its 70% contract buying goal, 
which translates t«» $100,000 in savings 
for every 1% improvement in contract 
compliance, he adds. 

For IT, attaining supply chain effi- 
ciencies in health care is “a heavy 
maintenance issue of keeping data 
clean,” Grove says. “If you can do that, 
you then have accurate information. 
What IT did is really focus on provid- 
ing that information and left the 


| change management issues to organi- 


zational managers.” 

The bottom line: “There is signifi- 
cant payback, but it’s [money] you 
don’t know you're losing until you 
make an effort to go out and quantify 
the problem,” Grove says. 


University Health 
Network 
TORONTO 

Dissatisfied with the performance of an 
outsourcer it had hired to handle sup- 
ply logistics in the late 1990s, the three- 
hospital University Health Network 
teamed with its consulting partner, 
Toronto-based Thiinc Logistics Inc., to 
form a for-profit hospital supply logis- 
tics company. Today, that company, 
known as Hospital Logistics, serves 


| two other corporate health care cus- 


tomers in Toronto as well as its own 
three hospitals. The venture has yet to 
turn a profit, but it has increased the 
accuracy of deliveries, which ultimate- 





ly translates to better patient care, says 


products electronically. There's also keen 
competition for control, which so far has 
made matters worse, not better, experts 
say. 

“Different players have a vested inter- 
est in the way the supply chain is being 
tun,” says IDC analyst Albert Pang. “Of- 
ten, individual suppliers, distributors and 
group purchasing organizations try te 
build their own ecosystems via EDI or oth- 
er electronic transaction systems that 
make direct connections to hospital facili- 
ties.” All too frequently, the upshot is 
more and more uncoordinated data, 
rather than useful information. 


~ Julia King 


www.computerworld.com 


| Kevin Empey, vice president of finance 
and corporate services at University 
Health Network. 

“Before, we were receiving between 
85% and 90% of products [that had 
| been ordered] every day. Now, we get 
between 98.5% and 99.5%,” reflecting a 
significant increase in order accuracy, 
Empey notes. Among other things, 
| that means surgical cases aren't 
| delayed or postponed because the 
| required instruments aren’t available, 
| he says, adding “we did not do this for 
| cost savings; we did it for service.” 
| Nevertheless, a better supply logis- 
tics operation had to begin with an in- 
tegrated computing system that could 
track contract information, orders and 
payments as well as warehousing and 
delivery operations. 

Hospital Logistics bought and modi- 
fied ERP software from Tecsys Inc., a 
Montreal-based vendor. The system 
supports radio frequency identification 
scanning and the use of handhelds as 
well as in-hospital logistics activities, 
such as stocking and setting up prod- 
ucts at nursing stations. In all, the sys- 
tem tracks more than 25,000 items, all 
on a just-in-time basis, from the point 
of origin to delivery at a nursing sta- 
tion. “We spent a lot of time on IT and 
designing an integrated IT platform,” 
says Youndt. 

Sunnybrook and Women’s Hospital, 
one of Hospital Logistics’ customers, 
eliminated its on-site supply ware- 
house and now maintains minimal 
backup inventory because supplies 
have an order-to-delivery turnaround 
time of less than 12 hours. Customer 
hospitals maintain very little inventory 
and have more accurate data about 
product replenishment, says Friesen. 

Hospital Logistics also has a direct 
electronic link with its customer hos- 
pitals’ general-ledger systems, to 
which it uploads transactional infor- 
mation. Hospital administrators can 
see exactly which products were pur- 
chased from which suppliers, so they 
can reconcile payments against con- 
tracted prices. 

“Now we're able to access better 
supplier information for products that 
| flow through hospital logistics,” says 
Friesen, who handles all of the con- 
tracting and purchasing for three 
Toronto hospitals, including Sunny- 
brook and Women’s. 

“The real benefit to clinicians is they 
now truly have the products they need 
when they need them,” says Friesen. 
“The patient care staff can spend time 
delivering patient care instead of wor- 
rying about chasing down supplies.” 
@ 46091 
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an AT&T APPLICATION AWARE NETWORK. Can your network make decisions? Can it be proactive? 
and Anticipate your needs? Resolve its own issues? Defuse problems before they happen? AT&T designs 
ey 
ae user-centered networks that intelligently monitor events across systems and applications, resulting 
in faster diagnosis and automatic restoration. Which adds up to less downtime for your mission 
Yr 
; that 
ays 


critical applications, and more time for your I|.T. department to think about other things. 
So...CAN YOUR NETWORK DO THIS? For a positive answer, just call 1-888-889-0234 
n- 


ly- 


s they 


Atal 
ime P. 


wor- 
a” 


qi) 





True network intelligence 
changes the game for customers. 
AT&T's Application-Aware 
Network will be built on a single, 
global photonic infrastructure AT&T is taking the intelligence and technological power of the network and 
that automates and simplifies centering it on the user’s applications. It will be “application-aware,” serving 
every application by providing 
built-in network intelligence 
that anticipates user needs, 
diagnoses and self-heals to 
keep the network running 
smoothly. Now that’s more 
than just simple — it’s smart. 


the enterprise’s needs in real-time so that every demand is anticipated and 
met: every business objective satisfied. The enterprise will retain full control 
ver its own applications, and can constantly monitor its performance to 


assure things are running as expected. 


The Application-Aware Network will have the ability to deploy an application 

to the appropriate server as well as manage the load balancing across multiple 

e Applications will be servers to maximize results. When an application is no longer needed, those 
dynamically deployed to resources will be made available to other applications. Reliability and business 
maximize server utilization 
and performance, improving 
the customer experience and 
reducing capital investments. Th 


continuity will be achieved by deploying applications across a number of 


servers and across a number of nodes. 


e network will take advantage of new technologies to provide a shared, 


4 


It will anticipate peak usage standards-based infrastructure for deploying, integrating and operating 


with the intelligence to mission-critical applications. Customers will benefit from the economies of 
handle spikes in demand by scale achieved by leveraging a shared infrastructure and also benefit by only 
automatically allocating 
anticipated capacity. 


he resources actually used — while knowing that the capacity is 


available to handle spikes in demand 


It will reduce cost by 
leveraging operational 
support infrastructure (i.e. 
systems, people, etc.). 


It will provide hands-free, 
end-to-end flow through 
process, enabling AT&T to 
deliver services to customers 
in real-time, ultimately, with 
zero cycle time and zero 
defects. 


e The # 1 Mover and Shaker in the Telecommunications Industry for his 
vision of creating a flexible, multi-service network edge with the 
capability for customers to self-provision services. LightReading.com 


e Hossein was recognized by the Executive Council of New York as one 
Reliability, security and of the top 10 innovators of 2003. 
business continuity will be 
infused into every layer. 


For more information, contact your AT&T 


Representative, or visit www.att.com/networking. 





Got Questions About 
Network Consolidation? 


Computerworld’s IT Executive Summit Has the Answers 


If you're an IT executive* in an end-user Streamlining Networks and Data Centers: 


organization, apply to attend Computerworld’s | The Business Benefits of Consolidation 
upcoming complimentary half-day summit i is as ena : 
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ClOs and senior IT executives are finding that \ 
consolidating high-performance networks can 7-45am to 8:15an Recistration and Networldna Breakdast —<— —- ae 
play a key role in improving business applica- amie 
tion performance while significantly reducing 3:15am to 8:45am Rebuilding the IT Foundation pera 
operational costs. Maryfran Johnson, Editor in Chief tem 


The proliferation of network capacity and relat- | 8:45am to 9:15am Infrastructure Makeover: Moving the ore 


ed storage and server infrastructure presents a U.S. Air Force Toward Network-Centric 

daunting challenge for today’s enterprises, ee waite ae . Btnadier Generel 

many of which are positioning themselves for finns eee Brad Butler 
Deputy Chief 

growth yet still seeking to reduce IT costs . rt a Ay 

where feasible. 9:15am to 9:45ar User Case Study U.S. Air Force 


By leveraging the knowledge of industry 9:45am to 10:15arr Refreshment and Networking Break - 
experts and the real-world experience and eee aaa! 
3 


advice of your IT peers, this IT Executive )15amto10:45am Customer Chailenges and Solutions: 


oe ee : : Real-Life Scenarios Connecting Data 
Summit wili provide an overview of effective Centers Over Distance 9 


strategies for consolidating and connecting 
networks and data center applications. 


teve Adolph 


CTO,E 


Network Consolidation and the Data 
Center: Boosting Business Performance 


*Complimentary registration and Application Availability 
is restricted to qualified : 


IT executives only. 


Strategies for Streamlining Key 
IT Resources 


For more information or to apply, visit 
Exclusively sponsored by 
, COMPUTERWORLD 


> LTT EXECUTIVE SUMMIT 


NETWORK CONSOLIDATION 





COMPUTERWORLD May 10, 2004 


— MANAGEMENT 


TRISK 


DELTA 


ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee 


The airline uses a 
rigorous but simple 
scorecard to balance 
the risk of technology 
failure against the 


costs of upgrading. 
BY GARY H. ANTHES 


Pashia tl is aii. meet 


PR aes ee Re Co 
column (see chart to the right) produces a 
scorecard like this, color-coded for high (red), 
medium (yellow) and low (green) risk. 


STS ern a 
Area1 


Ss terse 
Area 2 


Business 
LNG Bs 


Business 
Ney e | 


Managers at Delta Technology Inc. once 
endlessly debated whether they should 
spend money to upgrade or replace 
their IT assets, from laptops and main- 
frames to networks. Although the IT 
capital budget is prepared annually, 


| these debates “seemed to occur daily,” 


says Brian Leinbach, senior vice presi- 
dent for development at the subsidiary 
of Atlanta-based Delta Air Lines Inc. 
But the debating and wrangling has 
now largely stopped, he says, thanks to 
a simple but relatively rigorous frame- 


| work for analyzing the costs and risks 


of IT infrastructure renewal. “It’s fairly 


intuitive,” Leinbach says. “Simple ideas 


are often best.” 
The framework is based on a curve 


| that weighs the risk of failure against 


the cost of investments. At one end, 
risks are low but the investments re- 


| quired are too high. For example, it 
| might cost x to reduce the risk of fail- 
| ure to one ina million, but to reduce it 


further might cost 100x, which is con- 
sidered too high for the expected pay- 
off. At the other end, investments are 


| modest but risks are too high. 


Leinbach says Delta strives to stay 


| near the middle of the curve in a “man- 


ageable” area between unacceptable 


| risk and unaffordable investment. The 
| company’s annual capital budget of 


$200 million supports mainframes, 
Unix and Windows NT servers, desk- 


| tops, and voice and data networks. 


Delta Technology has developed a 
weighted score for each combination 


| of business area and IT asset, based on 


five factors: technology age, business 


| value at risk, platform supportability, 

| platform complexity and risk of failure 
| (see large chart). Each is then assigned 
| agreen, yellow or red flag, depending 
| on whether the IT asset in that busi- 


ness area is deemed to present low, 


| medium or high risk to the airline. 


The results are combined and might 


| show, for example, that the server in- 


frastructure presents a medium risk 
for Business Area 1, a low risk for Busi- 
ness Area 2 and a high risk for Busi- 





| budget writing is to develop multiple 
| spending scenarios that show the im- 


| the business areas that would result 


| attention on risks. “It makes everyone 


| to communicate them to all levels of 
| management, he adds. 


| to have a one-on-one relationship with 


OGY INC 


SOURCE: DELTA TECHNOL 


, ness Area 3 (see small chart). 


The method works for all parts of 


| the business, Leinbach says. “Even if | 
| you are just in finance and responsible | 
| for the books, that’s not required to 
| keep an airplane in the air, but you 
| can’t run the company very long if 
| you can’t file your paperwork.” 


The final step in preparation for 


pact on risk (again by color) in each of 


from different levels of spending on IT 
infrastructure renewal. 
The scorecards help focus managers’ 


| take stock of their systems,” Leinbach 
| says. “A big red stoplight is a great com- 


munications tool.” The risk analysis 


| framework has made it easier to under- 


stand capital expenditure priorities and 


“Doing this by business area allows us 


someone on the business side of the 


| table,” Leinbach says. “You are really 


counseling them, saying, ‘If we spend 


| this much in this area, these are the re- 


sults. Are you OK with that? How much 


www.computerworld.com 


risk do you think you can take? Do you 
want to help me lobby for more money 
overall so your share could be larger?” 


“And a finance guy might have a dif- 


| ferent view of risk versus a guy in 


flight operations,” he adds. 
The data on IT asset failure proba- 


| bilities and modes is highly automated, 


Leinbach says, but “some of the other 


| stuff is harder. Some is business knowl- 
| edge, and some is intuition.” 


Although Delta’s methodology is rel- 


| atively simple, it’s more rigorous than 
| what’s employed by 75% to 90% of For 
| tune 500 companies, says Jack Heine, 


an analyst at Gartner Inc. It gives IT 


| people a good tool for showing the 


possible consequences of budget cuts 
and for predicting their effects on fu- 


| ture risk, he says. 


“The fact that they have formalized 


| it is a very good thing, and so is the 

| fact that they are actually applying it to 
| their future migration planning,” Heine 
| says. When business people ask what 

| IT has done for them lately, he says, IT 
| can say, “ ‘Well, we quantified the risk 


in 2004, and we will be able to mea- 
sure our capabilities and successes 
against plan in 2007’ That’s great.” 
@ 46038 


RISK-SCORING GUIDELINES 
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age 


STi tersssy 
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High risk: 18-25 i Medium risk: 11-17 


Rea eR sleet) 


Would disrupt noncore functions (e.g., finance, HR). 
Would disrupt customer-facing, systems or reduce 
operational capacity. 

Would disrupt core operations (e.g., flights). 


A generally available product. 

No longer generally available but fully supported by vendor. 
Vendor has announced end of life for platform but still supports it. 
No longer supported by vendor. 

No support; spares in short supply or nonexistent. 


Single function, single application: 
TR are eluemeerl eel Crit eacm ome M Tea ce aT 
TCR ae emee leer ec iitsct in om 


CSA M WUE RU ece el Cie 
History of normal failure rates. 
SMALE mur Carle 


Low risk: 5-10 





www.computerworld.com 


When he was director of 
knowledge management 
at the World Bank, 
Stephen Denning discov- 
ered a powerful leader- 


ship tool: storytelling. He | 


found that it often suc- 
ceeded in inspiring and 
motivating people when 
cold, hard logic failed. In 
May’s Harvard Business 
Review, Denning describes how good 
storytelling can galvanize an organiza- 
tion around a business goal. He told 
Kathleen Melymuka how IT leaders can 
make this low-tech tool work for them. 


When we talk about storytelling in an IT envi- 
ronment, how are we defining story? I’ve 
defined it in a fairly broad way to be 
any account with time, place and a 
sequence of events. 


How do stories succeed in moving people to 
action where logic and analysis fail? The 
presenter of a logical analysis asserts 

a proposition: “The cat sat on the 
mat.” To which the response is, “No, it 
didn’t.” If, on the other hand, I say, “Let 
me tell you about a cat that was sitting 
on a mat,” then we’re arm in arm, look- 
ing together. I’m not forcing a conclu- 
sion. But when the listener thinks, 
“Maybe that could apply in my con- 
text,” then you’re one millimeter away 
from starting to implement something. 
Actions follow from narrative. 


Why do business and IT leaders resist the 
idea of storytelling as a business tool? The 
20th century was the high point of the 
premise that anything not analytic and 
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logical doesn’t have any intellectual 


| respectability. Many disciplines have 


come to see that that vision of life isn’t 
the whole story, but management and 
IT are among the last bastions of the 
world as a machine. 


Given that bias toward the analytic, if an IT 
| leader starts telling a story, don’t you think 
the department will roll its collective eyes? If 


you announce, “I am going to tell you a 
story,” you'll get the rolling of the eyes, 
but when I was reporting to the CIO 


| at the World Bank, I never said that. I 
| said, “Let me tell you about something 
| that happened two weeks ago,” and 


curiosity is raised, and before you 
know it, they’re following the story. 


Create Stories to Match the Si 


USE A STORY 
Ui) 


Tells how change was implemented in 
the past and allows listeners to imag- 
ine how it might work in their situation. 


Movingly recounts a situation that 
listeners have also experienced and 
that prompts them to share their own 


stories on the topic. 


Highlights, possibly through humor, 
some aspect of the rumor that shows 


it to be unlikely. 


Evokes the future you want to create, 
without providing too much detail that 
may turn out to be wrong. 


You talk about the need to match the story to 
the situation. How would an IT leader use a 
story to spark action? In the fall of 1998, 

I was called to give a presentation on 
why the World Bank should bother 
with knowledge management when we 
seemed on the brink of global financial 
crisis. I said, “Let me tell you some- 
thing that happened two weeks ago. A 
World Bank highways team in Pakistan 
got an unexpected question from Pak- 
istani highway administration. They 
wanted to try different technology, and 
they needed to make the decision the 
next week. What did we advise? The 
team contacted 300 highway experts 
in and outside the bank by e-mail. In 
the next 48 hours, they got help from 
someone in Jordan using that technol- 
ogy, someone in Argentina writing a 
book on the subject, someone in New 
Zealand with guidelines. ... Now that 
we have this knowledge, we can make 
it available through the Web for any- 
one.” They said, “Why aren’t we making 
this happen all over the organization?” 


| What is it about that story that makes it 
| work? There’s a particular pattern un- 


derlying that story. It has a protagonist 
with whom the audience is likely to 
empathize. It actually happened, and 
the truth of the story snaps listeners 


| out of complacency. It’s positive in 


| tone. And it’s told in a minimalist fash- 


ion, because I don’t want them think- 
ing all about what’s going on in Pak- 
istan; they need space in their minds to 
think, “Yeah, I can do this in my envi- 
ronment.” Once executives can learn 
to understand that pattern, whether 


they’re introducing CRM or SAP, 
| they’ll know how to find a suitable 


ei 
We. 


challenges. 


will unleash. 
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story to spark people to action. 


Another high priority in IT is fostering collab- 
oration. What’s an example of how a story 
could help a project team jell? We were 
asked by a director to help get his 
squabbling group to be more collabo- 
rative. We had a meeting with them 
and asked for a volunteer to tell a 
moving story about some recent work- 
related event. We said, “Pull out all the 
stops and tell everything you felt about 
what was happening to you.” That sto- 
ry sparked a whole series of stories 
from the rest of the group. People were 
interested in hearing the stories be- 
cause they were about the same sub- 
jects they were grappling with, and 
they wanted to tell their stories. By the 
end of an hour, the group realized they 
had a common perception of the prob- 
lems and what needed to be done. 
With a chain reaction of stories, it’s 
remarkable how quickly a group can 
move to a collaborative mind-set. 


IT isn’t known for loquacious folks. Can in- 
troverted, analytical people become good 
storytellers? The most effective story- 
tellers are not glib extroverts. In fact, 
when a storyteller is stumbling and 
clearly struggling, then listeners reach 
out and help and fill in the blanks. But 
we're all storytellers. We start telling 
stories spontaneously at the age of 2. 
Then school and work tell you to put 
away stories. But we are a storytelling 
species. Dogs sniff each other; humans 


tell stories. @ 46307 


This is the latest in a series of monthly discus- 
sions with authors 
on topics of interest to IT managers. 


Avoid too much detail. It can take 
listeners’ minds off their own 


Provide time for people to swap 
stories and have an action plan 
ready to tap the energy the exchange 


Avoid being mean-spirited and make 
sure the rumor really is false. 


Be confident cf your storytelling skills. 
Otherwise, use a story in which the past 
serves as a springboard to the future. 
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IT for a group 
of 10 hospitals employing a total 
MUON EM acc ir lcm Wate 
graduate of the Society for Infor- 
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firm believer in the critical impor- 
tance of the soft skills the forum 
focuses on. Since the RLF was 
launched in 1992, more than 
1,200 IT professionals have grad- 
uated and many of them are now 
LOS Leelee Ure omm ire 0 
ing Cigna Corp. and Sharp Elec- 
tronics Corp. 


How do SIM’s Regional Leadership 
Forums work? A forum meets every six 
weeks for two days, over a period of about 
eight months. Throughout that time, we read 
about 35 books focused on a range of top- 
ics. Speakers come in to facilitate peer- 
to-peer discussions. The main purpose of 
the forum is to take a holistic view of leader- 
ship. You spend very little time talking about 
technology. It's more about the skills you 
need as an IT leader, which range from 
thinking about IT governance and measur- 
ing value to negotiations and softer skills, 
such as building relationships with the exec- 
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utive team, communications and profes- 
sional networking. 


In such a tight economy, has the em- 
phasis on soft skills for IT personnel 
fallen off somewhat? There has been a 
greater emphasis lately on how to do more 
with less, and there has been more of a de- 
mand for financial skills and the ability to 
deal with regulators. But at the end of the 
day, if you're in an IT senior-level position, 
you have to be able to get up in front of a 
room of people and sell ideas and negotiate 
for what's important. | haven't seen that go 
by the wayside. 


How about managing people? What an 
IT person wants from a manager is to know 
that the manager cares about their success 
and professional development. At the bare 
minimum, | have my directors ask all of their 
reports what they want to do next and how 
the director can help them get there. That 
question should be integral to ongoing dis- 
cussions with direct reports. If a person 
feels a manager doesn't care about them 
as a person and a professional, that person 
will leave the company. 


What do you consider the most impor- 
tant nontechnical skills that IT leaders 
should develop? Relationship skills, in- 
cluding how to build relationships with your 
functional counterparts and others on the 
executive team, and communications skills. 
You need to write well and speak well. One 


| of the things they had us do in the Regional 


Leadership Forum is prepare and give our 
“elevator speech.” That's the speech you 
give when the CEO gets in the elevator and 
you have three minutes to convey what 
you're doing. Always have that elevator 
speech in your back pocket. €? 46441 

- Julia King 


NUMBERS CRUNCH: 
Workplace 
oH nose Issues 


cece 


come 


SOURCES: WWW.WORKRELATIONSHIPS.COM 
WWW .BADBOSSOLOGY.COM; 2004 


| have been a victim 
of workplace 
bullying. 


BASE: 418 workers polled online between 
November 2002 and March 2003 


www.computerworld.com 


Worth Noting 


People don't leave 
a company, they 
leave a manager. 


The costs for an employee 
who resigns due to interper- 
sonal relationship problems 
are extensive; some studies 
indicate that the costs are up 
to three times the departing 
employee's annual salary. In 
addition, there are other costs 
involved, such as hiring and 
training for the replacement 
position. 

- WWW.WORKRELATIONSHIPS.COM 


| have observed someone 
else being bullied in the 
workplace. 


BASE: 417 workers 


SOURCE: THE BUSINESS RESEARCH LAB LLC, HOUSTON 


www.simnet.org 
www.workrelationships.com 
www.shrm.org 


www.badbos: 


os 
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McClintock to Lead 
Arch Insurance IT 


Scott McClintock has been pro- 
moted to senior vice president 
and CIO at Arch Insurance Group, 
a division of Arch Capital Group 
Ltd., a Bermuda-based reinsur- 
ance company. McClintock will 
establish a long-term IT architec- 
ture for Arch and implement busi- 
ness unit efficiency initiatives. He 
joined Arch in 2002. 


Nextel Boosts EDS 


Contract by $100M 


Electronic Data Systems Corp. 
announced that it has amended 
its current five-year master ser- 
vices agreement with Reston, 
Va.-based Nextel Communica- 
tions Inc. to cover additional ap- 
plications development and host- 
ing services, increasing the con- 
tract’s value by about $100 mil- 
lion. Under the 2001 agreement, 
Plano, Texas-based EDS provided 
Nextel with comprehensive IT 
services, including data center, 
database administration, disaster 
recovery and help desk functions. 


BP CIO Joins 
Mapinfo Board 


Mapinfo Corp., a provider of 
location-based business intelli- 
gence software in Troy, N.Y., 
announced the appointment of 
Simon J. Orebi Gann to its board 
of directors. Orebi Gann is cur- 
rently CIO at BP PLC’s integrated 
supply and trading business and 
is vice president of digital and 
communications technology. 


Saab Signs Entopia 


Saab AB, a maker of defense 
electronics in Stockholm, has 
chosen K-Bus from Entopia Inc. 
in Redwood Shores, Calif., to 
help improve worldwide informa- 
tion-sharing and collaboration. 
K-Bus facilitates the consolida- 
tion of unstructured data from 
multiple sources such as data- 
bases, Internet sites, intranets 
and e-mail systems. 
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Risk/Reward Contracts: 
Laying the Foundations 


NDER THE RIGHT CIRCUMSTANCES, 
risk/reward contracts can provide signif- | 
icant benefits to both buyers and sellers 
[QuickLink 45728]. Because these con- 

tracts withhold a significant percentage 


of the fees until the project 
is successfully completed, 
they offer a way to share 
both risks and rewards with 
your supplier. Risk/reward 
contracts are more com- 
plex to negotiate and man- 
age, however, and require 
careful consideration. Here 
are some steps you can take 
to minimize difficulties. 

Determine whether you have 
a good candidate for a risk/ 
reward contract. Do this be- 
fore you pursue contract 
negotiations. Risk/reward 
contracts work best with: 

® High-risk projects with 
significant business bene- 
fits. Use risk/reward only when the 
potential benefits warrant the addi- 
tional effort. 

® Established suppliers. Because of 
the complexity of these contracts, you 
will do better if you select a supplier 
with an excellent track record, prefer- 
ably one you already have a strong 
relationship with. 

= Companies with strong internal 
relationships. Risk/reward contracts 
require significant internal coopera- 
tion and work best in companies 
where legal, finance and HR depart- 
ments already have a strong working 
relationship with IT. 

Use clear metrics. The success of your 
risk/reward contract will depend on it. 
These measures form the basis for de- 
termining whether additional financial 


payments are warranted. They are par- 


ticularly necessary in multiyear con- 
tracts, where management changes are 
almost sure to occur. Having clear 





metrics can help you avoid 


| going operating costs higher than 


they should be. 
Get interdepartmental support early. 


| @ Finance. Since benefits often accrue 


being at the mercy of wide- | 


ly differing interpretations 
of whether success has 
been achieved. 

® Choose metrics that 
reward specific behavior. 
For example, metrics for 
a new application might 
specify an average re- 
sponse time of two sec- 
onds. If you want to elimi- 
nate large deviations in re- 
sponse times, add a related 
metric specifying that 95% 
of the transactions will 
take place within one to 
three seconds. 

@ Develop metrics to 

eliminate arguments with suppliers re- 


| garding whether their incentive pay- 


ments should be made. Clear metrics 
remove ambiguity. Imprecise mea- 


| sures are often subject to debate. 


® Design metrics carefully. Poorly 


| designed or insufficient measures may 
| result in unintended consequences or 


give suppliers the ability to play games 
with the numbers. One company tried 


| to motivate data entry operators by 


paying a bonus for more than a certain 
number of keystrokes per hour. The 


| operators soon learned they could 


“increase productivity” by repeatedly 
tapping a single key. 

Define counterbalancing measures of suc- 
cess. Make sure that your metrics take 
into account and accurately reflect 
multiple goals. For example, if the 
only measure of success is response 
time, a systems integrator might re- 
quire faster processors and higher 
bandwidth, thereby making the on- 





over several budget years, the finance 
staff will need to accept multiyear “at 


| risk” accruals that represent contin- 
| gent liabilities on the balance sheet 


(i.e., payments you will make only if 


| the vendor performs well). In some 


cases, it may take several years to 


| construct and install a new system 


and start reaping the benefits. Fi- 
nance will need to accrue potential 
additional payments as soon as the 
endeavor starts, rather than waiting 
until the end and being surprised by 
the total fees. 

® Legal. In addition to normal con- 
tract terms, you will need to negotiate 
special situations. For example, if your 
risk/reward endeavor is canceled 
through no fault of the supplier (e.g., 
your company is acquired and the new 
owner decides to shut down the proj- 


| ect), the supplier will want to be paid 


some portion of the potential addi- 


| tional fees it might have received at 
| normal project completion. 


® HR. Some internal incentive pro- 
grams may need to be adjusted. Sup- 


| pose, for example, you construct a 


joint project team in which everyone 


| works hard to deliver the project early. 


If the systems integrator’s staff gets a 
bonus and your HR policies forbid you 
to pay a bonus to your staff, that could 


| Create resentment. 


Risk/reward contracts require more 
preparation, precision and coopera- 


| tion. But when they are used appropri- 


ately, they motivate suppliers to deliv- 
er successfully. This leverage serves as 
an insurance policy against failure and 
provides incentives for joint success. 


© 46411 
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How does your rack really stack up? 


Take the APC Rack Challenge and find out how 
the New NetShelter® VX outperforms your brand. 


Whether you are consolidating servers, relocating your data center, or centralizing 
distributed networks, selecting the right brand of enclosure is crucial to successful 
implementation. Take the APC Rack Challenge today to make sure your facts and 
your racks really stack up. 


THE APC RACK CHALLENGE 


Name 
Company: 
Address 


How many racks do you currently have installed? 


Compaq Rack 
10000 Series 
(245161-B21) 


no side panels 


NetShelter® VX Your rack brand here: 


(AR2101BLK) 


no side panels 


Features to expect in today's 
IT rack enclosures 


Integrated rear power distribution 
channels that provide zero-U, 
toolless mounting of basic, 
metered, and switched rack-mount 
power distribution units. 


Integrated rear cable management 

channels that allow efficient cable CYA 
routing and easily accessible — 
cable containment. 


Available with scalable 
cooling options to support 
heat densities up to 7.5kW*. 


Exceeds major server requirements a 
for front door ventilation. ~ 

Meets or exceeds warranty 7 
requirements for all major servers. 


InfraStruXure compatible. 

Seamlessly integrates into APC's 
modular, manageable, pre-engineered 
data center architecture. 


Vendor neutral rack configurator 
designed to support most third party 
servers and networking devices. 


“Fits Like a Glove”** money back 
guarantee that all IT equipment 
will fit in the rack. 


Compare! Savings 
of almost 40% 


Yes! 


| took the 
0) Ba APC RACK 
meme CHALLENGE TODAY! | CHALLENGE! 


ert 
http://promo.ape.com * Key Code q525y 
iB 


|2) Fax the completed Rack Challenge 


| 


4 Ame 


1) Fill in your business information, 


Fax 401-788-2797 


y Fax: ‘oe ieee 
2 


(2?) 
indicate your rack brand of choice, erg YOUR FREE T-SHIRT 


and check off the applicable fields | c 
4 Be one of the first 100 respon- 


dents and receive a FREE “I took | 
the APC Rack Challenge” T-shirt! | 


to the following number: 


version Corporation. All Trademarks are the property of their owners @ Call: 88§ 


APCC x6701 E-mail: esupport@apcc.com 


Designed specifically for the cabling, 
cooling and security demands of today’s 
IT environments, the NetShelter® VX is a 
complete infrastructure compatible with a 
full range of integrated APC components. 
Vendor-neutral, all you need to add are 
the servers of your choice. 


NetworkAIR™ RM Air Distribution Unit 


Unique 2U rack-mounted fan 
unit delivers additional cool 
air and improves circulation. 


1U Rack-mount LCD 
Monitor/Keyboard Drawer 


Maximizes space in 
data center environments. 


Environmental Monitoring Unit 


Monitors ambient temperature, / 


humidity and other environmental ~ Te 


conditions in racks. 


Rack-mount PDU Se, 


Provides up to 5.7kW of power, ie 
eliminating the need for multiple 

outlet strips per rack. Available for m 
both single- and 3-phase input power. 


“Based on APC Internal Research and testing. ** See link on 


promotions page for terms and conditions. t Source of 
average pricing: www.HPcom. Prices may vary or change 
from time to time. Not applicable to other SKU's or modeis. 


Legendary Reliability® 


132 Fairgrounds Road, West Kingston, Rl 02892 USA  NS1A4EF-USa 
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ithout doubt the Boston metro area has been 
Wances those most hard hit by the downturn in 
the technology economy. The telecommunications 
sector, in particular, continues to see problems, and 
Terra Lycos has announced additional layoffs and a 
lowered price on the sale of its Lycos.com operation. 
Similarly, the financial services sector has stumbled, 
with the buyout of John Hancock by Canada’s 
Manulife Financial Corp. 


However, Boston continues to market itself to the 
high tech world based on its access to a strong 
workforce, universities and existing business base. 
Further evidence can be found in close to $100 
million in venture capital and federal grants for early 
stage companies and an uptick in job listings at 
companies ranging from Staples Inc. to Partners 
HealthCare. Boston.com — a business newsletter for 
the region — continues to follow the financial 
fortunes of an emerging new technology community, 
the Boston Life Sciences 20. The Life Sciences 20 
includes companies such as Boston Scientific, Charles 
River Laboratories, Biogen Idec, Millennium 
Pharmaceuticals, PerkinElmer and Transkaryotic 
Therapies. 


Partners HealthCare — parent company for The 


Advertising Supplement 


> 


Children’s Hospital, Beth Israel Deaconess Medical 
Center, Brigham & Women’s Hospital and 
Massachusetts General — has 50 information 
technology jobs currently listed. 


In addition to some of the longer-term 
pharmaceutical and life sciences companies, the area 
boasts of a dozen new start-up companies. These 
include Biomeasure Inc., Nexcelom Bioscience and 
Agencourt, which recently received a $30 million 
grant from National Human Genome Research. 
Biomeasure, which is now a division of French 
pharmaceutical company Ipsen, is building a new 
38,000-square-foot factory. The Boston Tech Center, a 
345,000-square-foot facility, is under construction 
and also will provide needed office and lab space for 
Boston's growing biotech and life sciences industry. 


Raytheon, one of the long-term corporate 
headquarters in the area, is also on a hiring cycle. 
Currently, the corporation lists 10 jobs in the 
information systems area supporting its 
businesses. More importantly, the corporation has 
posted 75 job openings during quarter one for 
software engineers, architecture developers and 
systems engineers to work on security and defense 
contracts. 
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Staples Inc. also continues its push in using 
technology to reach customers and improve 
operations. The high tech research community in 
the Boston area is also showing some 
improvement. Forrester Research has shown stable 
performance over the last six months. IDC, a 
division of IDG — parent company to 
Computerworld, InfoWorld and NetworkWorld — is 
hiring research analysts, particularly in the areas of 
healthcare and life sciences. 


For more information about IT Careers 
advertising, please contact: Nancy Percival 
Vice President, Recruitment Advertising 
800.762.2977 

500 Old Connecticut Path 

Framingham, MA 01701 

Produced by Carole R. Hedden 
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Engineering Deve analysis 
ager-Offshore : For transfer proces plan, dzn 
cle mgmt co & systems inte- 
shore res & de nel grn. PM for system & pins 
S'ware dev »perni. CRM 
Sales, Svc, Mktng), Collabora- 
tive CRM (CTI 
team of deve 
ers; project f 
& test at 
Bach's in Com 
y assessments & 
offered or 3 y t CRM & ERP ba 
Sys Analyst ir 
envt. Exp must 
enterprise, netwo 
proces: 
chi SH/HS Framework 
DSP-TI & 
dows CE, ITRON, p 
Works, C OS 
Trimedia SDE 
TRACE 32 for Hitachi SH, ARN 
developer Ste, Red Hat Embed- 
ded Tool Ste & Platform Bi r 
Overseas travel requir 
wk. Send res. to E-5 
1924, Phila., PA 19105. 


Clear 


tion. Lead 

lopment, | e 
delivery, client relation 
team deliveries. BS in CS + 
exp. in job duties OR 5 yr exp in 
IT PM, Internet tech. & ERP. 
Must be Clarify CRM Prof. and 
Six Sigma green belt certified 
Comp. salary. Apply: Unilinx 
PROGRAMMER/ANALYST to 625 


5 Alexander Dr., # 110 
analyze, design, develop and Alpharetta, GA 30022 witt 
maintain client/server and web- 


Computer Professionals 
(Multiple Openings) 


Software Engineer/Systems 
Analyst/Database Administra- 
tor/Network Administrator Mil- 
waukee, WI. Must have bache- 
lors degree or equivalent and 
experience in some of the fol- 
lowing skills: C/C++ ava 
Web Methods, Cold O 


Silk, € K- 
ng).Position 
requirement: Must be willing 
to travel and /or relocate per 
project specification Mail your 


sinc.com or 
Director, IK Solu’ 
N. Farwell Ave 
Milwaukee, WI 5. 





of perm. Work authzn 
based application 
using Java, J2EE, Java Script 
Java Bean, Ap JSP. 
Serviets, EJB, WebLogic, XML 
HTML, SQL Server and Oracle 
under Windows NT and UNIX 
operating systems. Require 
Bachelor's degree in Computer 
Science, an Engineering disci- 
pline, or a closely related field UNIX. Bachelors or Equivalent 
with 2 yrs of exp in the job req'd in Computers, Engineer- 
offered or as a Systems Analyst ing, Math or related field of 
Extensive travel on assignment study +1 yr of related exp. 40 
to various client sites within the hrs/wk. Must have legal author- 
US is required. Competitive sal- ity to work permanently in the 
ary offered. Send resume to: a 
John Watson, Venturi Technolo- U.S: Send resume to HR 
gy Partners, 9428 Baymeadows Manager, Compro Consulting 
Rd, Ste 500, Jacksonville, FL Group, Inc., 7179 West,111th 

St, Worth, IL 60482 


software 


PROGRAMMER ANALYSTS 
for Worth, iL office. Design & 
Develop software applications 
using Oracle, XML, UML, C++ 
Sybase, Interwoven, Cooigen 
ClearCase, ClearQuest, PVCS 


32256; Attn: Job AA. 


System Adr 4 
for Burtonsvi MD office M 
working on Windows, win- 


Design & maintain LAN, WAN 
Network 
Intranet 


Segment, Internet 
Install & 
maintain Exchange Servers 
Multiplexes Line Drivers 
modems 
hubs, cabling and other hard- 
Bachelors r 
Computers, Engineering + 2 yrs 
of exp. 40 hrs/wk. Must have 
legal authority to work perma- 
nently in the U.S. Send resume 
to HR Manager, Childway/KIO 
Services Inc., 4058 Blackburn 
Lane, Burtonsville, MD 20866 


Systems 


scanners D-link 


ware 


d in 
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dows2000 server, Windows 
200€ advanced server, Linux, 
Novell platform 
ways, LANS/W 
walls. Re: 
systems ad 
management 
ment, LAN, VPN, r 
management < 
n-house us 
clients. 


1 external 


The job responsibility requires 
travel as required. Please send 
your resume and cover letter to 
Human Resources, Profession- 
al Consulting Services, Inc 
1415 North Dayton, #3S 
Chicago, !L 60622 





Consultant Systems Analyst will 
develop leading edge testing 
methodology to stress test next 
generation high volume (1+ mil- 
lion users) financial applications 
built on WebLogic middleware 
using custom developed 
LoadRunner virtual users. Will 
deliver application performance 
and system resource profiles of 
all application components 
Nill analyze applications and 
characterize performance of 
systems to identify bottlenecks. 
Will conceptualize and execute 
test plan for stress, stability, unit 
and load/performance testing 
with a user population of 13 mil- 
lion customers for both web- 
based and client/server applica- 
tions. Will assist clients in vali- 
dating multipie architecture rec- 
ommendations and in the selec 
tion of a cost-effective solution 
that meets performance and 
capacity requirements for 
branch network and future 
Capacity projections. Requires 
Bachelor of Science or equiva- 
lent in Computer Science 
Engineering, Math, or Physics 
and one (1) year in job offered 
OR one (1) year experience in 
systems integration and perfor- 
mance testing. Candidate must 
possess demonstrated exper- 
tise in high volume capacity 


mance 
Runner; der 
in performanc 


st in the Mercury 
ctive LoadRunner tool 
$87,975/yr, M-F, 9AM- 
2 resumes to 

Labor 

Office, 19 Staniford St 

Boston, MA 02114 EOE 
Applicants must be U.S. workers 
eligible to ac t full-time 

employment in U.S 


Software Engineer - Applica- 
tions. Sought by Englewood 
Colorado consulting company to 
work in various unanticipated 
locations throughout the U.S 
Duties: Develop, create and 
modify general computer appli- 
cations software or specialized 
utility programs. Analyze user 
needs and develop software 
solutions. Design software or 
customize software for client use 
with the aim of optimizing opera- 
tional efficiency. Analyze and 
design databases with an appli- 
cation area. Use of Visual Basic, 
XML, UML, SQL Server 2000, 
DB2, SQL, C++, COBOL. Regs. 
Masters or equivalent in Com- 
puter Science, Computer Engin- 
eering, Engineering (any field) 
or related field. Plus 1 year in the 
job offered or 1 year in a related 
occupation, including Systems 
Analyst, Programmer Analyst or 
Applications Developer. $73,231 
/year, 40/hrs/wk, BAM-4PM. Re- 
spond by resume to WORK- 
FORCE DEVELOPMENT PRO- 
GRAMS, PO Box 46547, Den- 
ver, CO 80202, and refer to Job 
Order No. CO5075643. 


PROGRAMMER ANALYSTS 
req'd for Raleigh, NC office 
Design & Develop software 
applications using C, C++, VB, 
Delphi, ASP, XML, UML 
Cooigen, Interwoven, Oracle 
PL/SQL, Developer 2000 & 
Designer 2000; Bachelors or 
Equivalent req'd in Computers, 
Engineering, math or related 
field of study + 1 yr of related 
exp. 40 hrs/wk. Must have legal 
authority to work permanently in 
the U.S. Send resume to HR 
Manager Allied Business 
Consulting, Inc., 8700 W.Bryn 
Mawr, Suite 800 South, 
Chicago, IL 60631 


Lae bacon as 


Software Engineer wanted to 
analyze software reqts. & prod- 
uce functional specification doc- 
uments & implement software; 
create test specs. for new sub- 
systems; analyze & reengineer 
software legacy system; provide 
mgmnt. w/effort estimations & 
implementation trade offs; apply 
software design patterns in C++ 
environment; design software 
using UML, Visual C++, C++, 
COM/DCOM, ATL & STL; modi- 
fy real time multi-threaded fram- 
ework adapter to support COM/ 
DCOM; design the interfaces 
between different subsystems to 
reduce dependency & boost de- 
velopment process; develop 
COM/DCOM code generator to 
generate ActiveX automation 
components using Rhapsody & 
ATL tech.; optimize software for 
performance & memory, GDI 
handles & other system resourc- 
es using Visual Quantify, Purify 
& PC-Lint; develop configuration 
mgmnt. adapters for ClearCase 
MKS, VSS, PVCS Version man- 
ager, on Windows & UNIX oper. 
systems; assist customers & 
customer support team. Must 
have Bach. deg. in Comp. Sci 
or related field & 4 yrs. software 
development exper., incl. exper. 
with software modeling tech- 
niques & UML, exper. with C++ 
MFC & COM tech. incl. internals 
of COM/DCOM & ActiveX tech., 
& exper. w/configuration mgmnt 
tools incl. Rational/ClearCase & 
MKS/Source integrity as well as 
expertise in multi-threaded pro- 
gramming concepts & develop- 
ment. Salary $93,209/yr. Send 
2 resumes to Case#200204206 
Div. of Career Services, Labor 
Certification Unit, 19 Staniford 
St., 1st fl., Boston, MA 02114 


IT PROFESSIONALS 
Consultant 


(Glen Mills, Pennsylvania and 
other locations through the 
U.S.). Under the supervision of 
Senior Consultants, Managers. 
and Senior Managers, assist in 
providing consulting services for 
impleme ion, testing, devel- 
opment, maintenance and en- 
hancement of software pack- 
ages and applications. Design 
software packages Utilize 
Rational Rose to design system 
architecture in Unified Modeling 
language (UML). Utilize Rational 
ClearCase, Rational Clear- 
Quest, Adobe Photoshop 
Adobe illustrator, Micromedia 
Dreamweaver, Micromedia 
Flash, Microsoft Frontpage, Vis- 
ual Interdev, and Homesite to 
develop programming logic and 
web interfaces. Conduct quality 
assurance testing of software 
applications. Create and main- 
tain systems documentation. 


Salary $60,000 per year. Mon- 
Fri, 9:00 am to 5:00 pm. The 
position requires: Bachelor's 
degree or equivalent in Comput- 
er Science, Engineering (any), 
Information Systems or Busin- 
ess Administration + 2 years of 
experience in the job offered or 
2 years of experience as a 
Systems Analyst, Consultant or 
Developer. Related experience 
must inciude at least six months 
of experience in Adobe Photo- 
shop, Micromedia Flash, Micro- 
soft Frontpage, and Visual 
Interdev. 


Please send your resume, refer- 
encing Job Order Number WEB- 
415747 to the: PA Careerlink, 
FLC Unit, 235 W. Chelten Aven- 

Philadelphia, PA 19144 


PROGRAMMER ANALYSTS for 
Charlotte, NC office. Develop 
software applications using VB, 
Crystal Reports, Delphi, ASP, 
XML, Coolgen, Interwoven; De- 
velop client/server applications 
in Oracle, PL/SQL, Developer 
2000 & Designer 2000. Bach- 
elors or Equivalent req'd in 
Computers, Engineering, Math 
or related field of study +1 yr of 
related exp.40 hrs/wk. Must 
have legal authority to work per- 
manently in the U.S. Send 
resume to HR Manager, 
Masterminds Global Solutions, 
LLC, 6000 Fairview Road, 
#1200, Charlotte, NC 28210. 


Systems Analyst 
Analyze, design, and deploy 
customized IT solutions based 
on a client's needs and business 
environment. Must have Bach- 
elors Degree or foreign equiv. in 
Computer Science or in a relat- 
ed field & 1 yr. exp. or 1 yr. exp 
in a related position w/ability to 
use: OS Windows, C#, MDX, 
OLAP, and XML and must be 
willing to travel and relocate 
40.0 hrs./wk 9:00 AM - 6:00 PM. 
Applicants send cover letter 
and resume to: 

SRA Systems, 1945 Cliff Valley 
Way, Suite 270, Atlanta, GA 
30329, Attn: S. Srinivasan 


Radiant Soft Sol, Inc., a S/ware 
Consulting Co, seeks to fill fol- 
lowing Multiple Openings in 
Arlington Hts, IL & unanticipated 
locs in US: 


Sr. Software Consultants (BS+3 
yrs exp), Business/ Systems/ 
Programmer/QA Analysts (BS + 
2yrs exp.), Database Analysts 
(BS+3yrs exp.), Network Anal- 
ysts (BS+ 3yrs. exp.) & IT 
Managers (BS + 3yrs superviso- 
ry exp) 


Respond by resume to HR, 855 
E. Golf Rd, #1125, Arlington Hts. 
IL 60005 


Engineer (New York, NY): De- 
velop/implement introspective & 
self-adaptive hardware & soft- 
ware sys. Design, implement & 
evaluate new program repre- 
sentations. Consult w/ engi- 
neers & clients to enhance reli- 
ability, alability & perfor- 
mance. Design systems & tech- 
niques to map applications on 
architectures. Must have M.S 
in Comp. Sci. or Elec. Eng., plus 
1 yr. specific experience. Send 
resume to Melanie Peters, 
Business Manager, Reservoir 
Labs, inc., 632 Broadway, Suite 
803, New York, NY 10012 


Programmer Analyst in NYC 
to analyze, dsgn, create 
prgms & dvip s/ware prgms & 
systms using Java, C++, JSP, 
Oracle, ASP, VB & VBScript 
Reg. Bach. in Engg, Comp. 
Sci/equiv. + 2 yrs exp in field 
Will accept any combination 
of ed., training, exp, which will 
meet min. req Resp. to 
Ganesh International, Rajesh 
Kalra, 12 W. 27th St. 2nd FI., 
NY NY 10001. Fax: 212-779- 
1616 E-Mail 
careersusa@crawtsys.com 


Quality Eng. wanted by 
company engaged in 
graphics and multimedia 
technology design, manu- 
facturing and marketing. 
Requires Bach. in CS or 
EE plus 3 yrs exp. includ- 
ing min. 2 yrs. audio/video 
software. Reply to ATI 
Research, Inc. H.R. 
Dept., Attn: K.B., 62 
Forest Street, Marl- 
borough, MA 01752. 


Laecbactes esereyea) 


Sr. Network Engineer/Adminis- 
trator wanted by macro-political 
consultancy co. in NYC, NY. 
Must have a min. of a Bachelor's 
degree or foreign equiv. in 
Computer Sci., Engineering, 
Business or related and 1 yr. 
exp. in job offered or as a 
Network Administrator. In lieu of 
a Bachelor's degree, the em- 
ployer will accept an equivalent 
combination of formal university 
education and work experience 
in network administration. Send 
resume to Catherine Vitale @ 
Medley Global Advisors, LLC, 
451 Greenwich St, 6th Fl., NYC 
NY 10013. 


Prog. Analysts to analyze, 
design/develop s/w appls using 
Java, JavaScript, VBScript, 
ASP, HTML, Weblogic, Oracle, 
SQL, COBOL, DB2, CICS un- 
der Windows, UNIX & MVS OS; 
perform unit, functional, integra- 
tion, regression and systems 
level testing; analyze user reqs, 
prepare design documents; de- 
velop & enhance online & batch 
programs; implement, install, 
test, debug and modify new/ 
existing appls. Require: BS or 
foreign equiv. in CS/Engg. (any 
branch) & 2 yrs exp. in IT. 
Travel involved. High Salary. 
F/T. Resumes to: HR, Global IT 
Solutions USI, Inc 600 
Stevens Port Drive, Ste 125 
Dakota Dunes, SD 57049 


Sales Eng'g. - Present & 
sell comm. & recording 
equip. to clients. Req'd: 
10 yrs. exp. in job or 
software, sys., or test 
eng'g job & exp. w/ LAN/ 
WAN, Windows NT, CTI, 
CRM and PSAP. Res- 
umes: NICE Systems, 
Inc., 301 Route 17 
North, 10th Floor, Ruth- 
erford, NJ 07070. Attn: 
G. Farese 


Programmer Analysts to ana- 
lyze, design, develop appls us- 
ing: C, VB, JavaScript, HTML/ 
DHTML, EJE, JSP, ASP, Serviet, 
UML, Oracle, SQL under Win- 
dows OS; perform initial study of 
req and provide feedback; pro- 
vide on site maintenance sup- 
port, debug, modify, fine tune 
and perform code optimization 
Require: BS or foreign equiv. in 
CS/Engg.(any branch) & 2 yrs of| 
exp. in IT. High Salary. Travel 
Involved. F/T. Positions avail- 
able in Elgin, IL and Lower 
Gwynedd, PA. Resume to: HR, 
Fourth Technologies, Inc., 1108 
N. Bethlehem Pike, Suite 8 
Lower Gwynedd, PA 19002 
Specify location desired on 
resume. 


Programmer Analysts 
(multiple —_ positions) 
sought by a New 
Jersey-based s/ware 
consulting firm. Must 
have Bach in Comp 
Sci., Engg or equiv 
and one yr relevant 
exp. Respond to: HR 
Dept., AK Systems, 
Inc., 100 Metroplex 
Drive, Suite 303, 
Edison, NJ 08817. 


Programmer Analyst need- 
ed w/exp to analyze, 
design, develop, test & 
implement interfaces & cus- 
tom solutions using C, 
Pro*C, PL/SQL, Oracle 
Forms & Reports, Oracle 
Clinical & Documentum on 
Windows. Send resumes 
to: Soft Tech Source - 
Ramesh Sarva CPA, P.C. 
16 Murray Guard Dr., 
Jackson, TN 38305 


Informatio1 
Overload? 
Take a break at 
itcareers.com 
and take the 
hassle out of job 
searching! 


www.itcareers.com 


You can find a 


aaa 
ie): 


with one hand 


tied 


behind your 
back. 


Just point your mouse 


to the world’s best 


IT careers site, 


powered by 


CareerJournal.com 


Check us out at: 


www.itcareers.com 


or call 


(800) 762-2977 
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Database Developer 


Develop, test and 
based atabas 


ntain web 


usin server 
97/200 VB 
NET 


Tietronix Software, Inc. 
n, TX) is seeking Soft 


Netbeans, Visu 
tify & Purify « 
Solaris. S sume t 
Gemini Ave., #300, Houston 


TX 77058, Attn: HR, or email 


mer for medical 
search industry 
exp. S 

North N 
77803. A 


en 
Na t 
ttn: Je’ 


Computer Information Supp- 
ort Specialist: wanted by trav 
el management marketing 
firm in Miami, FL. Applicants 
must investigate computer 
software and hardware prob- 
lems of users. Applicant r t 
have a Bachelors of Science 
in Computer Engineering and 
1 yr. of exp. in the field. Mail 
resumes only to 4950 SW 
72nd Avenue, 2nd Floor, 
Miami, FL 33155. Attention 


Tammy Gonzalez 


Dynamic Systems, Inc. 
Programmer/Systems 
Analyst/Business Analyst 
For Lansdale, PA or 
North Brunswick, NJ 


Internet: Java, JSP,EJB,Web 
Sphere,WebLogic,Peri/CGI, VB 
ASP,C##, ASP.NET Or VB.NET. 
Admin:AIX,HP-UX, Solaris,Un- 
ix,Oracle, Sybase,DB2, Informix 
or SQL Server. Skills: RDBMS 
Unix, VC++,C,C++,AS/400,RPG, 
IBM MF Cobol, DB2.Clintrial 
Oracle Clinical Or SAS. 
job@dynamicsystems-inc.com 
525 Milltown Rd, #107, N. Brun- 
swick, NJ 08902; 650 N Cannon 
Ave, Lansdale, PA 19446 
Phone: 732-246-2297; Fax:732- 
246-3362 
www.dynamicsystems-inc.com 


MACCeacLes ese coy ea) 


TEES 


Colleg 


Attn: Human Resources 


Leaf. Resum 
President New 
8180 Greensbor 


Telecorr 


Dr. #700, McLean, VA 221 


A Fairfax, VA based Company 
seeking qualified Programmers. 
Analysts/Software Engineers/!T 
Project Managers poss. MS/BS 
or equiv and/or relevant work 
experience. Duties incl.. working 
with at least 3 of the following 
Java, Java Serviets, Oracle 
Versata, HTML, XML, Java 
Script, Websphere, Rational 
Rose, PowerBuilder FoxPro and 
SQL Server. Send res. refs. and 
sal. req. to: Prescient Infotech 
Inc., 11130 Main Street, Suite 
100 E1, Fairfax, VA 22030 


Vayusa Inc., a pioneering 
mobile payment and loyaity 
systems develope 

Inf 


an 


Director to 


ormation 


ead its techr 


exp 
Visualizer 
Steve 
412 
Lauderda 


Site) 


Programmer Analyst. Design 
& Develop S/W t 
ize the payroll on 
95, 98 & NT, wit 
PL/SQL, ASP3.0, SQL Ser- 
ver 7. HTML, DHTML 
Visual Interdev, Frontpage 
VB, Java Scrip 

Req: BS in Comp. Sc 
Eng/Electrical Eng. 4 

wk. Job/Interview Site: Lake 
Havasu City, AZ. Send 
Resume to Desert Payroll 
Services Inc. @ P.O. Box 
3058, Lake Havasu, AZ 
86405-3058 


ymputer- 
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Engineer (Portland 


& impleme 


Elec. Eng. Plus 1 yr. speci 
experience. Send resume 
Melanie Peters, Business Man- 
ager, Reservoir Labs, Inc 32 
Broadway, Suite 803, New York 
NY 10012 


Reports 


$72k/yr 


IT Education & Training Directory 


Contact the companies listed below 
to help you with your training needs! 
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SurajSoft Inc. is hir- 
ng System Admin 
Send 
resume to 304 


Managers 


Town and Country 
Village Sunnyvale 
CA 94086. May be 
placed at client 


| sites nationwide 


To place your ad please call 800-762-2977 


IPexpert, Inc. 

(866) 225-8064 

www.ipexpert.com 

CCIE (R&S, SEC, and C&S), CCSP, 
CCNP, CCNA, IP Telephony 
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CBT Nuggets 

(888) 507-6283 & (541) 284-5522 
www.cbtnuggets.com 

Affordable training videos on CD 
MCSE, MCDBA, MCSD, CCNA, 
Citrix, Linux, A+, Net + 











international 
red in Prospect 
has an opening 
sitant Business 


ystems working in the 





»ffer competitive com- 
pensation and benefits 
Please fax resume to 8 31 
755-6528, Attn: Job Code 


PHCBS 


People- 
ycle imple 
development, sup 

S, interfaces 

nversion and 

> an Oracle/Unix 
nent. Require Bache 


or equivalent with 5 

relevant experience 

2 travel on assignments 
ent sites withir 


Mpe’ ve Salary 
ffered. Apply by resume to Rav 
Kandimalla, Everest Computers 
875 Old Roswell Road 

400, Roswell, GA 30076 


obKR 


Sr. Software Engineer (with 
Bachelors degree and 5 years 
Job entails and 
requires experience in tear 
management and design and 
development of applications 
ncluding _ financial/banking 
applications using Oracle 
DB2, FoxPro, C, C++, ProC 
JSP and EJB. Relocation 
within USA Possible. Attrac- 
tive compensation package 
Send resume to Sally 
Ronquillo, Cybernet Software 
Systems Inc., 3031 Tisch 
Way, Suite 1002, San Jose 
CA 95128 


experience 


IT|Careers 


Resource Assistance has oppor 
for Programmers 

mer Analysts, Systems 
ngineers 

DBA's and re Consultants 
with three 10re of the follow 


SAS 


Send} 


1 sal 


rave! and fre. 
Apply: Mana 
CareerLink 


Center 


computer 
siness applications 
are requirements 
ility of de 
tware system 
ting procedures using exper- 
n VB.NET, C#, PVCS 
eSafe, SQL, Sybase and 
Requirements: Bachelor's 
equivalent in Com- 
puter Science or related field 
and two years experience 
software engineer or co 
f knowledge 
VB.NET PVCS, Source- 
Safe 2 se and MTS 
2/year. Worki 
A.M. to 5:0C 
hours/week, involves 
travel and frequent 
relocation. Apply: Mon Valley 
Regional CareerLink, Attn: Actg 
‘ogram Supervisor, Donora 
Industrial Park 0 Galiffa 
Drive, Donora, PA 15033, Job 
No. WEB415970 


rogrammer 


engineer to design 

and test computer pro 

for business applications 

yze software requirements 

to determine feasibility of de 
sign; direct software system 
testing procedures using exper- 
tise in VB.NET, COM, XML 
DHTML and XPath. 

nents: Bachelor's De- 

or equivalent in Computer 
ence or related field and two 
years experience as a software 
engineer or computer program- 
mer, knowledge of VB.NET 
COM, XML, XSL, SQL, DHTML 
and XPath. Salary: $70,242 
Working Conditions: 8:00 

to 5:00 P.M., 40 hours 
week, involves extensive travel 
and frequent relocation. Apply 
Site Manager, Armstrong County 
CareerLink, 1270 North Water 
Street, PO Box 759, Kittanning 
PA 16201, Job No. WEB415966 


SOFTWARE ENGINEER to des: 
3n, develop and implement web: 
based application software and 
databases using Java, J2EE 
Java Mail API, EJB, JN 
XML, JavaScript, Web: 
WebSphere, Struts, Ant 

SQL Server 

ational Rose 

ess and MS Visio on 
dows XP/2000, Linux and UNIX 
platforms; Test applications man 
jally and a matically using 
WinRunner and LoadRunner 
M.S. degree in Comput 
ce/Engineering, Mathe. 
a closely related fi 


exp in the job of 

r as a Systems Analyst 
2 travel on assigr 

client sites within the 


U.S tiv 


s required. Comp 
salary offered. Apply by resume 
Sophie Mooker ftware 

jigms_ Internatic 
Roswell Rd 134 
GA Attn: Jot 


SENIOR SOFTWARE ENGIN 
EER to design, develop and test 
application software using (¢ 
C++, COBOL 
Perl 
Novell eDirectory V 
blix NetPoint, IBM MQ 
Series, BEA’s Tuxedo Trans. 
action Manager, Oracle, Oracle 
XSU, Rational Rose and Cl 
ase under SUN Solaris ar 
HP-t ting systems; Men: 
‘or junior programm 
gineers. Require: B.S 
Science, an Engineering 
closely related f 
progressively res 
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grammer. Extens trave’ yn 
assignment ) various lient 
Ss required 
salary offered. Ap 
y resume to: Kondala R 
Jala, Apkon Systems, In 
Trace, Marietta 


Mad 


Software engineer to design, de 
velop and test computer pro 
jrams for business applications 
analyze software requirements 
to determine feasibility of 
sign; direct software system 
testing procedures using exper- 
tise in Sybase, Oracle, Web- 
Logic and Visual Studio .NET 
Requirements: Bachelor's De 
gree or equivalent in Computer 
Science or related field and two 
experience as a software 
ineer or computer program- 
knowledge of Sybase 
Oracle, WebLogic and Visual 
Studio .NET. Salary: $70,242 
year. Working Conditions: 8:00 
A.M. to 5:00 P.M., 40 hours: 
week, involves extensive trave’ 
and frequent relocation. Apply 
BECS/CareerLink Program Sup 
ervisor, Indiana County Career 
Link ) Indian Springs Road 
Indiar PA 15701, Job No 
WEB415974 


NETWORK SYSTEMS ENGI- 
NEER to administer, design 
install, configure, maintain and 
trouble-shoot LAN/WAN under 
Windows and Linux operating 
systems; Responsible for net 
work performance, hardware 
optimization and client/server 
performance tuning; Assign IP 
addresses, install and configure 
software, client machines and 
peripherals to the network: De- 
sign and implement protocols 
topologies, passive hubs, swit- 
ches, and other network related 
technology. Require: B.S. de 
gree in Computer Science, Info 
Technology, or a closely related 
field with 1 yr of exp in the job 
offered or as a Systems Admin 
istrator, or Computer Systems 
Engineer. Competitive salary 
offered. Apply by resume to 
Eduardo Santos, Noble Systems 
Corporation, 4151 Ashford 
Dunwoody Road, Suite 550 
Atlanta, GA 30319; Attn: Job PF 
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Consultant (Multiple positions 
Req. Bach.'s degree or higher in 
CS, Eng., or rel. field (or equiv 
foreign educ.) & 3 yrs." exp. in 
client/server s/ware devel. using 
OOP concepts & methodolo- 
gies. Stated exp. must incl. 1 yr. 
n each of the following: creating 
nterfaces, reports, stand-alone 
applications, stored procedures 
& extensions for Facets integrat- 
ed delivery system; & exp. with 5 
of the following: Java, C++ 
J2EE, EC Gateway, Xmi 
Oracle, SQL, & Sybase. Consult 
with healthcare industry clients 
to analyze & define application 
design reqs. & r expected 
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hrs./wk. Apply with resume to 
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Human Resources 2801 
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CL, Visual C++ or C++, NT 
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degree and 2-3 years exp. Level 
i: M.S. or B.S. and 5 yrs. exp 
Experience should include de 
sign, development, testing and 
implement 1 of commercial 
systems. Assignments may be 
anywhere in the U.S. Travel 
required. Forward resumes to 
Manager@MilestoneConsuiting. 

8625 NW. street, Suite 

mi, FL 33126 


Software Engineer to analysis. 
design, develop, test, imple 
ment and support PeopleSoft’s 
web architecture global ERP 
Solutions; as a technical lead 
develop solutions throughout 
the project's life-cycle with 
hands on experience in SQRs. 
security, LDAP. Informix 
Oracle, and PL/SQL. Bachelor 
Degree and 5 years in full- 
cycle experience for HR, PY, 
AP, GL, T&L, PO, BI and SS. 
Send Resume to Datum 
Software Inc. Attn: HR, 6525 
The Corners Parkway, Suite 
312, Norcross, GA 30092 
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Bluetooth 


tool called Bluewatch from 
AirDefense Inc. to scan every 
device on his network and em- 
ployees’ mobile phones for the 
presence of the wireless tech- 
nology. Hawkins will then de- 
cide which devices should be 
allowed to run Bluetooth and 
access the network at Leap- 
frog, an Atlanta-based vendor 
of managed network services. 
Cracks in Bluetooth’s secu- 
rity capabilities first came to 
light in February, when re- 
searchers in the U.K. said they 
had developed a tool that 
could exploit a flaw in some 
phones to connect to other de- 
vices without going through 
the normal pairing process. 
Once the connection was es- 
tablished, the tool could 
download data such as ad- 
dress books and personal cal- 
endars [QuickLink 44727]. 


Attack Techniques 

The Bluetooth Special Interest 
Group (SIG), a trade associa- 
tion based in Overland Park, 
Kan., today plans to address 
the technology’s vulnerability 
to the “bluesnarfing” attacks 
and another hacking tech- 
nique called “bluejacking.” 

The group said in a state- 
ment that Bluetooth users 
need to “understand the reali- 
ties of the situation [and] 
know how to protect them- 
selves.” Patches are available 
for the phones that are at 
risk of being attacked, said a 
spokesman for the Bluetooth 
SIG. He added that the group 
also plans to detail initiatives 
it has under way to make Blue- 
tooth more secure. 

The spokesman said that 
only a relatively small number 
of phones from Nokia Corp. 
and Sony Ericsson Mobile 
Communications AB are sus- 
ceptible to bluesnarfing. De- 
spite the current concerns, he 
claimed that Bluetooth “is 
more secure than any other 
wireless technology” because 





of the short transmission 
range of most devices and its 
128-bit encryption capabilities. 
Neither Nokia nor Sony Erics- 
son returned calls. 

Bluetooth security con- 
cerns will likely continue to 
grow as devices that use the 
technology proliferate, said 
Chris Kozup, an analyst at 
Meta Group Inc. Kozup said 
Bluetooth-equipped mobile 
phones can be a particularly 
vexing problem for IT man- 
agers because many are 
bought by individual employ- 
ees, making them harder to 
manage than corporate assets 
such as laptop PCs. 

Bluejacking involves sending 
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s 
E-voting 
voter-verifiable paper receipts, 
the 50 million Americans who 
will use electronic voting ma- 
chines this fa!l will have no 
way of knowing if their votes 
were subject to electronic tam- 
pering. Moreover, the code 
base powering the systems is so 
large and complex that there’s 
no efficient way for election 
officials to be sure that it’s free 
of malicious code designed to 
manipulate election results. 

Avi Rubin, a professor at the 
Johns Hopkins University In- 
formation Security Institute in 
Baltimore, said his biggest 
concern is the threat of indi- 
viduals who have access to the 
code base rigging the election. 
“And it’s virtually undetect- 
able,” he said. 

“The trusted computing 
base is approximately 50,000 
lines of computer code sitting 
on top of tens of millions of 
lines of [operating system] 
code,” Rubin said. “It is impos- 
sible to secure such a large 
trusted-computing base.” 

Rubin recently had 40 Ph.D. 
candidates design Trojan 
horse programs to assess the 
security of the e-voting sys- 
tems. “I was astounded to see 
the cleverness and ease with 


» Reprint 
ng issues will 
r year. Subscriptions call to 


unsolicited text messages to 
other Bluetooth users. Karl 
Feilder, president and CEO of 
Red-M Ltd., a vendor of wire- 
less security tools in Bucks, 
England, described bluejack- 
ing as “an annoyance” that can 
be defeated by turning off the 
phone function on devices, 
which needs to be on to allow 
the exchange of such messages. 
Few IT managers are even 
aware of Bluetooth’s wide- 
spread use, Feilder said. 
Worldwide shipments of mo- 
bile phones and other devices 
that use the technology ex- 
ceeded 1 million units per 
week last year, according to 
the Bluetooth SIG. He estimat- 


which the malicious code was 
hidden and how difficult it 
was to find,” he told the com- 
mission. “In the short term, 
meaning November 2004, a 
voter-verifiable paper ballot is 
necessary. It’s the only way to 
get around all of the security 
problems in the machines” 
and, if necessary, to conduct 
meaningful recounts. 


Identifying Vulnerabilities 
Rubin, who has come under 
fire from IT vendors and their 
Washington lobbying group, 
the Information Technology 
Association of America, re- 
cently worked as a polling of- 
ficial to observe the process 
firsthand. 

Although Rubin said that 
the experience forced him to 
rethink some of his early con- 
cerns about the security of the 
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ed that as many as 2 billion 
Bluetooth-equipped devices 
could be in use by next year. 
Many Bluetooth products 
are short-range devices that 
can transmit across distances 


systems, he added that he 
came away with new concerns 
about the risk of manipulation 
and fraud. 

“At the end of the day, the 
memory cards were taken out 
of all of the machines and put 
into one machine ... and then 
they were [transmitted via 
modem] to back-end servers,” 
said Rubin. He also noted that 
the polling station used a bro- 
ken cipher for encryption and 
a key that was hard-wired to 

| all of the machines. That con- 
stituted “a single point of vul- 
nerability,” he said. 

| Ted Selker, a professor at 

| MIT and a former IBM fellow, 
said there are ways to counter 
such vulnerabilities. But en- 
cryption would be too difficult 
to deploy in time for the No- 
vember vote, he said. And in 

| some cases, registration data- 

| bases remain full of errors — a 

problem that led to the loss of 

between 1.5 million and 3 mil- 

lion votes during the 2000 

| election, Selker said 
The IT vendors that make 

the systems in question sought 

to discredit Rubin’s research 

by characterizing it as labora- 

tory work that has little rele- 

vance to a real-world voting 

environment. Some also com- 

plained that until last year, 

election officials were more in- 

terested in usability improve- 
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of only about 30 feet. But Jay 
Chaudhary, chairman of Air- 
Defense in Alpharetta, Ga., 
said a large number of laptop 
PCs include longer-range 
Bluetooth radios that can work 
at distances of up to 300 feet 
That could make them more 
vulnerable to attacks, he said. 
AirDefense’s Bluewatch de- 
tection tool costs $295 for use 
on a laptop PC. Red-M also of- 
fers a Bluetooth detection sys- 
tem that’s based on radio fre- 
quency sensors deployed 
throughout a company’s of- 
fices, with costs for an instal- 
lation running between 
$50,000 and $250,000, accord- 


ing to Feilder. @ 46757 


ments than in better security. 
“What’s been missing from 
these laboratory-originated 
critiques has been the real- 
world experience of the voting 
booth,” said Mark Radke, di- 
rector of marketing at McKin- 
ney, Texas-based Diebold 
Election Systems, which made 
the system tested by Rubin 
and his students. The ques- 
tions and doubts raised are 
“theoretical in nature,” he said. 
Neil McClure, general man- 
ager of Hart InterCivic Inc. in 
Austin, said product changes 
should be based on risk assess- 
ments, not solely on the exis- 
tence of vulnerabilities. He dis- 
counted the threat of electron- 
ic tampering, saying it would 
require a long-term commit- 
ment by a motivated attacker. 
In any case, both the IT 
vendors and the researchers 
agreed that properly securing 
the existing systems will also 
be a long-term process. 
“For 2004, we have the 
equipment we have,” said 
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Sinister Sasser 


HINK THE SASSER WORM IS TRIVIAL? Think just be- 
cause it had near-zero impact on U.S. businesses, it’s 
not something you need to worry about? Think again. 
True, Sasser infections numbered only in the dozens 
at places like American Express, Citibank and Lehman 
Brothers, and the worm was cleaned up quickly. Even in Europe, 
where banks, a stock exchange and even the offices of the European 
Commission were reportedly hit, Sasser was more of an annoyance 
than a crisis — nothing to really worry about. 
Start worrying. Worm writers are learning. And they have a plan. 


Why do you think there are endless versions 
of new, seemingly ineffective worms like Net- 
sky and Sasser? They don’t do much besides 
spread themselves. So why 30 versions of Net- 
sky in 1] weeks? Why a dozen Welchia worms in 
three months? Think: Why would you churn 
out lots of small prototypes very quickly, with 
only slight differences among them? 

That’s right — to test them with users and get 
feedback, to find out which features of each 
prototype work and which are a waste of time. 
We do it with a pilot group of users. The worm 
writers are doing it with the entire Internet. 

These prototype worms aren’t supposed to 
wreak havoc. They’re just supposed to spread. 
They’re experiments, prototypes with cycle af- 
ter cycle of tweaking and testing. 

Once, the individuals who wrote malware 
just took their best shot. Now they work in 
teams, developing their software slowly and 
carefully, testing one element at a time. Those 
step-by-step results aren’t very dramatic. But 
once the worm writers put it all together, their 
worms will be a lot more likely to work. 

Feeling a little worried yet? 

That slow, steady approach to 
worm writing has other results, too. 
Worm writers now know that the 
timing of a worm launch matters. 
Sasser hit on Friday evening, just af- 
ter the security experts went home 
for what was a three-day weekend 
in Europe — so it got a much better 
head start than if it had been re- 
leased on a Thursday afternoon. 

Worm writers have also accus- 


at 


700,000 computers. Everyone was astounded. 
Last week, Sasser probably topped a million, 
and everyone yawned. As worm writers are get- 
ting more methodical, effective and — ultimate- 
ly — threatening, we’re paying less attention. 

So what is their plan? What’s all this meticu- 
lous worm development leading to? 

We don’t know. But we can guess. The goal 
might just be a giant network of spam relays. 
Or it could be something much worse. 

What if all those different worms are turned 
into empty delivery vehicles? What if a future 
generation does its overnight mass infection, 
and then each worm phones home for a pay- 
load? That would form a perfect platform for 
massive denial-of-service attacks. Properly de- 
signed, the worms could hide their target until 
the last minute — because they won’t contain 
the attack payload until the last minute. 

Worried now? Good. 

That DoS attack, when it comes, might be 
aimed squarely at you. It might hit a key suppli- 
er or service provider. It might just suck up all 
the bandwidth in your vicinity. You need to 
be prepared for an attack — or for collateral 

damage. 

If you don’t already have a DoS 
recovery plan, make one now. Then 
test it. Refine it. Make sure your IT 
shop can execute it. Prepare for a 
DoS attack like you would for a 
fire, flood or any other disaster. 

Because even if those worms 
don’t ultimately pose a DoS threat, 
you're no worse off. You're ready in 
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Wrong, Wrong, Wrong! 

This county office moves from dumb terminals to net- 
worked PCs so swiftly that there are lots of equipment 
problems: misadjusted monitors, keyboards with ca- 
bles that don't reach - you get the idea. It’s no big 
deal, reports a pilot fish there, and employees shift 
things around for themselves. Then the nontechie 
manager hears about it. “She gathered us in an audi- 
torium and exhorted us to call the help desk even if all 
we needed was to move the monitor from one side of 
a desk to the other,” fish says. “Why? Well, obviously, 
because if you move them, they could explode!” 


Flying Blind 
Tech pilot fish 
gets the call 
when the payroll 
department's 


printer jams halfway 
through printing payroll 
checks. “When | ap- i 
payroll clerk jumped in 
front of me and told me 
| couldn't look at the 
checks,” fish says. “I 
asked her how | was i 
supposed to fix the jam if : 
| couldn’t get near the 
printer. She told me | 
would have to keep my 
eyes closed.” 


SHARK 
TANK. 


: is puzzled to find himself 
: in the CIO's office - 
? without his IT manager 


ship and espe- 
cially a strong 
chain of com- 
mand. So sys- 
admin pilot fish 


boss ~ hearing the ClO 


: gripe that he doesn’t 

: know what fish does all 
: day. “I start to enumer- 
: ate my many duties,” 
? says fish. “But he cuts 


me off, saying, ‘I don’t 


: want to know what 
_ you're doing!” 


_ Big Bother 


: New wireless network at 


That Tiny Web 
When this contractor 
pilot fish gets hired as 
a regular employee, he 
finally has real health 
insurance. But he can’t 
find the list of doctors on : 
the insurance provider's 
Web site, so he asks the 
HR director. “Have you 
looked at the purple 
book on the HR table?” 
she says. No, | was look- : 
ing online, says fish. 
“It’s not online,” she 
tells him. “They have to 
print it. The list of doc- 
tors is too long, and it 
changes too often.” 


: a health clinic works fine 
: for a few days. Then it 

: stops working, and a 

? pilot fish is sent to inves- 


point has been un- 


: plugged. Turns out one 


of the nurses did it. 


: me why you set up a 


staff monitoring device 


: in their area. It isn’t any 

: of your business what 

; they were doing, so they 
: unplugged it.” Fish ex- 

: plains what the wireless 
: access point is really for, 


: but supervisor is still un- 


About One Link 
Short of a Chain 


: on it, so we just figured 


; we would unplug Big 


NEVER MIND BIG BROTHER, Sharky is watching: 


tomed us to lots of worms — two or 
three new variants per day now — 
and high infection rates. Five years 
ago, the Chernoby] virus spread to 


FRANK HAYES, Computer- 
world's senior news colum- 
nist, has covered IT for more 
than 20 years. Contact him at 


frank_hayes@computerworld.com. 


case someone or something else 
slams you with a DoS attack. 

But if the worms turn on you, the 
last thing you'll think they are is 
trivial. @ 46707 


sharky@computerworld.com. You score a stylish 
Shark shirt if | tell your true tale of IT life. And check out the 
daily feed, browse the Sharkives and sign up for Shark Tank 
home delivery at computerworld.com/sharky. 
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your SAN is under threat 


Without SAN monitoring, downtime is 
stealing from your business. 


Reduce your exposure to the risks associated with SAN downtime. Get NetWisdom and 
Xgig Analyzer, the SAN monitoring and analysis tools that identify catastrophic events 
before they shut your network down. SAN failure occurs after an accumulation of invis- 
ible errors. Finisar’s NetWisdom and Xgig Analyzer proactively identify and troubleshoot 
network errors, reducing business losses, technology costs, and customer service voids. 


Research shows that SAN downtime can cost organizations $100,000 per minute, or 
more.* NetWisdom and Xgig help you avoid these costs by conducting accurate perfor- 
mance tuning and capacity planning. 


When data stops moving, so do the dollars. Be part of the solution: monitor your SAN with 
Finisar network tools and stop degradation, CRC errors and events that can impact your 
most critical business data and transactions. 


View our web seminar, including a customer case study and demo of NetWisdom by visiting 
www. finisar.com/risk 


Finisar 


www.finisar.com/risk 





Database 10g 
Application Server 10g 


Common LDAP directory 
Unified security model 
Common administration 


Automated space management 


Engineered to work together 


ORACLE 


oracle.com/platform 
or call 1.800.633.0753 





